Ask western cybersecurity intelligence analysts who their “favorite” group of foreign state-sponsored hackers is, the adversary they can’t help but begrudgingly admire and obsessively study, and most won’t name any of the hacker groups working on China’s behalf or North. Korea. Neither China’s APT41, with their daring supply chain attack sprees, nor North Korea’s Lazarus hackers carrying out massive cryptocurrency heists. Most won’t even single out Russia’s notorious Sandworm hacking group, despite the military unit’s unprecedented blackout cyberattacks against power grids or self-replicating destructive code.
Instead, hacker connoisseurs tend to name a much more subtle team of cyberspies who, in various ways, have been quietly penetrating Western networks for much longer than anyone else: a group known as the Turla.
Last week, the US Department of Justice and the FBI announced that they had taken down an operation by Turla, also known by names like Venomous Bear and Waterbug, which had infected computers in more than 50 countries with a piece of malware known such as Snake, which the US agencies described as the “main spy tool” of Russia’s FSB intelligence agency. By infiltrating Turla’s network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious blow to Turla’s global spying campaigns.
But in their announcement, and in the court documents filed to carry out the operation, the FBI and the Department of Justice went further and officially confirmed for the first time the report by a group of German journalists last year that revealed that Turla works for the FSB Center 16 group in Ryazan, on the outskirts of Moscow. He also hinted at Turla’s incredible longevity as one of the world’s leading cyber-espionage teams: a affidavit filed by the FBI claims Turla’s Snake malware had been in use for almost 20 years.
In fact, Turla has arguably been in operation for at least 25 years, says Thomas Rid, professor of strategic studies and historian of cybersecurity at Johns Hopkins University. He points to the evidence that it was Turla, or at least some sort of proto-Turla that would become the group we know today, that carried out the first intelligence agency cyberespionage operation targeting the US, a multi-year hacking campaign known as the Moonlight Maze.
Given that history, the group will definitely be back, Rid says, even after the latest FBI disruption of their toolkit. “Turla really is the quintessential APT,” Rid says, using the abbreviation for “advanced persistent threat,” a term the cybersecurity industry uses for elite state-sponsored hacking groups. “His tools from him are very sophisticated, stealthy and persistent. A quarter of a century speaks for itself. Really, he is the number one adversary.”
Throughout its history, Turla has repeatedly disappeared into the shadows for years, only to reappear within well-protected networks, including those of the US Pentagon, defense contractors, and European government agencies. But even more than its longevity, it’s Turla’s ever-evolving technical ingenuity—from USB worms, satellite-based hacking, and hijacking of other hackers’ infrastructure—that has set it apart over those 25 years, says Juan Andrés Guerrero- Saade, Principal Threat Researcher. at security company SentinelOne. “You look at Turla, and there are several phases where, oh my gosh, they did something amazing, they pioneered this other thing, they tried a clever technique that no one had done before, they scaled it up and implemented it,” says Guerrero. -Saade. “They are innovative and pragmatic, and it makes them a very special APT group to follow.”