Turla Group

Threat Actor updated 23 days ago (2024-11-29T14:40:56.388Z)
Download STIX
Preview STIX
The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissance on their victims' systems before deploying their more sophisticated tools. One such tool is Carbon, a second-stage backdoor used to steal sensitive information from targets of interest. This backdoor may be a "lite" version of Uroburos, and its deployment typically follows an initial stage of system reconnaissance using tools like Tavdig or Skipper. Recently, several new versions of Carbon have been discovered. ESET researchers have analyzed new Tactics, Techniques, and Procedures (TTPs) attributed to the Turla group, which now leverage PowerShell to run malware solely in-memory. Furthermore, similarities have been found between Carbon and another malware strain called Kazuar, further solidifying the attribution of these activities to the Turla group. In response to these threats, the FBI launched Operation Medusa, which resulted in the self-destruction of Turla group's malware. The Turla group has been operational for nearly two decades, even targeting personal computers of journalists reporting on the Russian government. Despite its longevity, the group was eventually taken down, highlighting the persistence required in combatting such long-standing cyber threats.
Description last updated: 2024-05-04T16:45:15.673Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Uroburos is a possible alias for Turla Group. Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
PowerShell
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kazuar Malware is associated with Turla Group. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 andUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with Turla Group. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
6