Turla Group

Threat Actor updated 7 months ago (2024-05-04T20:30:17.286Z)

Download STIX

Preview STIX

The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissance on their victims' systems before deploying their more sophisticated tools. One such tool is Carbon, a second-stage backdoor used to steal sensitive information from targets of interest. This backdoor may be a "lite" version of Uroburos, and its deployment typically follows an initial stage of system reconnaissance using tools like Tavdig or Skipper. Recently, several new versions of Carbon have been discovered. ESET researchers have analyzed new Tactics, Techniques, and Procedures (TTPs) attributed to the Turla group, which now leverage PowerShell to run malware solely in-memory. Furthermore, similarities have been found between Carbon and another malware strain called Kazuar, further solidifying the attribution of these activities to the Turla group. In response to these threats, the FBI launched Operation Medusa, which resulted in the self-destruction of Turla group's malware. The Turla group has been operational for nearly two decades, even targeting personal computers of journalists reporting on the Russian government. Despite its longevity, the group was eventually taken down, highlighting the persistence required in combatting such long-standing cyber threats.

Description last updated: 2024-05-04T16:45:15.673Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Uroburos is a possible alias for Turla Group. Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

PowerShell

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Kazuar Malware is associated with Turla Group. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with Turla Group. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	6

Source Document References

Information about the Turla Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	2 years ago	Carbon Paper: Peering into Turla’s second stage backdoor \| WeLiveSecurity
BankInfoSecurity	2 years ago	Feds Dismember Russia's 'Snake' Cyberespionage Operation
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
DARKReading	a year ago	Upgraded Kazuar Backdoor Offers Stealthy Power
CERT-EU	a year ago	Turla's Snake May be Down, But its Legacy Lives On
CERT-EU	2 years ago	FBI Dismantles Russian Malware That Stole Government Secrets - IT Governance USA Blog
CERT-EU	a year ago	Matthieu Faou \| WeLiveSecurity
CERT-EU	2 years ago	FBI, GCHQ Unite To Foil Russian Malware Hacking Tool
CERT-EU	a year ago	Russia’s 'Turla' Group – A Formidable Cyberespionage Adversary
MITRE	2 years ago	Turla Crutch: Keeping the “back door” open \| WeLiveSecurity
BankInfoSecurity	a year ago	Russian Hackers Probe Ukrainian Defense Sector With Backdoor
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
Securelist	2 years ago	Reassessing cyberwarfare. Lessons learned in 2022
MITRE	2 years ago	A dive into Turla PowerShell usage \| WeLiveSecurity