π Global (50+ countries)πΊπΈ United StatesπͺπΊ European UnionπΊπ¦ Ukraine
Overview
Turla is one of the oldest and most sophisticated Russian cyber espionage groups, attributed to the FSB's Center 16. Active since the mid-1990s, the group is known for its innovative techniques including satellite-based C2, hijacking other threat actors' infrastructure, and deploying rootkits. Turla's Snake malware network was dismantled by the FBI in 2023 via Operation MEDUSA, but the group continues to develop new capabilities.
FBI disruption of Snake malware P2P network spanning 50+ countries.
2020
Iron Tiger/OilRig Hijack
Hijacking of Iranian APT infrastructure for own espionage operations.
2015
Satellite C2
First known use of satellite internet links for covert C2 communications.
2008
Agent.BTZ / Buckshot Yankee
Compromise of classified US military networks via USB worm.
Detection Engineering
Snake Rootkit Detection
Monitor for unsigned kernel drivers via Sysmon Event ID 6 (Driver Loaded). Detect named pipe patterns used by Snake (e.g., \\.\pipe\isarpc*). Deploy kernel integrity monitoring tools. The FBI released the PERSEUS tool specifically designed to detect and neutralize Snake installations.
Audit Exchange TransportAgent registry entries for unknown DLL assemblies. Monitor for emails being silently forwarded, modified, or blocked by transport rules not created by administrators. Check IIS logs for anomalous Exchange Web Services activity.
Monitor for unexpected changes in DNS resolution for known C2 infrastructure of other threat actors. Turla has documented history of hijacking OilRig/APT34 C2 servers. Deploy DNS monitoring for infrastructure changes in threat intel feeds.
Most technically sophisticated espionage actor. Kernel rootkit capability (Snake), satellite C2, and documented infrastructure hijacking of other APT groups.
Legal Actions & Sanctions
2023-05
DOJ/FBI disrupts Snake malware network via Operation MEDUSA