Turla Group

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissance on their victims' systems before deploying their more sophisticated tools. One such tool is Carbon, a second-stage backdoor used to steal sensitive information from targets of interest. This backdoor may be a "lite" version of Uroburos, and its deployment typically follows an initial stage of system reconnaissance using tools like Tavdig or Skipper. Recently, several new versions of Carbon have been discovered. ESET researchers have analyzed new Tactics, Techniques, and Procedures (TTPs) attributed to the Turla group, which now leverage PowerShell to run malware solely in-memory. Furthermore, similarities have been found between Carbon and another malware strain called Kazuar, further solidifying the attribution of these activities to the Turla group. In response to these threats, the FBI launched Operation Medusa, which resulted in the self-destruction of Turla group's malware. The Turla group has been operational for nearly two decades, even targeting personal computers of journalists reporting on the Russian government. Despite its longevity, the group was eventually taken down, highlighting the persistence required in combatting such long-standing cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Uroburos
4
Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
Snake
3
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Secret Blizzard
1
Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities we
Pensive Ursa
1
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
Venomous Bear
1
Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as private
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Fbi
PowerShell
Reconnaissance
Russia
Exploits
Eset
Operation Me...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KazuarUnspecified
3
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
CrutchUnspecified
1
Crutch is a sophisticated malware attributed to the Turla group, first discovered by ESET researchers in December 2020. It's considered a second-stage backdoor, achieving persistence through DLL hijacking. One notable feature of Crutch v4 is its ability to automatically upload files found on local a
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
6
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
MedusaUnspecified
1
Medusa, a threat actor group, has been identified as a rising menace in the cybersecurity landscape, with its ransomware activities escalating significantly. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability known as Citrix Bleed (CVE-2023
WaterbugUnspecified
1
Waterbug, also known as Turla, Venomous Bear, and other aliases, is a cyberespionage group closely affiliated with the FSB Russian intelligence agency. This threat actor has been active since at least 2004, targeting government entities, intelligence agencies, educational institutions, research faci
OilRigUnspecified
1
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Turla’s GroupUnspecified
1
None
Source Document References
Information about the Turla Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Carbon Paper: Peering into Turla’s second stage backdoor | WeLiveSecurity
BankInfoSecurity
a year ago
Feds Dismember Russia's 'Snake' Cyberespionage Operation
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
DARKReading
8 months ago
Upgraded Kazuar Backdoor Offers Stealthy Power
CERT-EU
a year ago
Turla's Snake May be Down, But its Legacy Lives On
CERT-EU
a year ago
FBI Dismantles Russian Malware That Stole Government Secrets - IT Governance USA Blog
CERT-EU
a year ago
Matthieu Faou | WeLiveSecurity
CERT-EU
a year ago
FBI, GCHQ Unite To Foil Russian Malware Hacking Tool
CERT-EU
10 months ago
Russia’s 'Turla' Group – A Formidable Cyberespionage Adversary
MITRE
a year ago
Turla Crutch: Keeping the “back door” open | WeLiveSecurity
BankInfoSecurity
a year ago
Russian Hackers Probe Ukrainian Defense Sector With Backdoor
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
Securelist
a year ago
Reassessing cyberwarfare. Lessons learned in 2022
MITRE
a year ago
A dive into Turla PowerShell usage | WeLiveSecurity