Government

Why, and how, Turla spies keep returning to European government networks

Despite a large body of public data on Turla techniques, the suspected Russian hackers keep breaching networks.

October 28, 2020

Getty Images

Turla, a group of suspected Russian hackers known for pinpoint espionage operations, has used updated tools to breach the computer network of an unnamed European government organization, according to new research.

The research from consulting giant Accenture shows how, despite a large body of public data on Turla techniques, and a warning from Estonian authorities linking the hackers with Russia’s FSB intelligence agency, the group remains adept at infiltrating European government networks.

The hacking tools are tailored to the victim organization, which Accenture did not name, and have been used over the last few months to burrow into the internal network and then ping an external server controlled by the attackers.

The stealth is typical of Turla, which is known for stalking embassies and foreign affairs ministries in Europe and elsewhere for sensitive data. Turla’s tools are associated with a damaging breach of U.S. military networks in the mid-to-late 1990s, and an attack on U.S. Central Command in 2008. More recently, they have wormed their way into government agencies across Europe and in former Soviet republics like Armenia.

The group maintains an “ecosystem of efficient” tools for breaking into and moving through computer networks, Accenture researchers said in response to questions from CyberScoop. “The use of defense evasion techniques and the tailoring of tools to a specific target allows the group to reuse old tools that have been updated for the campaign at hand,” they said.

While apparently effective, the spies are still being documented by researchers, and presumably, by rival intelligence agencies.

Matthieu Faou, a malware researcher at anti-virus company ESET who tracks Turla, said the group is effective, in part, because of the lengths to which they go to obtain network access.

“They will put as much effort as is needed to compromise their targets,” Faou said. It can be difficult to keep Turla operatives out of a breached network because they swipe administrative passwords or create Windows accounts they can later use for access, he added.

Why, and how, Turla spies keep returning to European government networks

More Like This

FBI director warns of China’s preparations for disruptive infrastructure attacks

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

Top Stories

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

Hackers with links to Pro-Russian groups compromised foreign embassies in Belarus, researchers say

Kaspersky discovers overlap between SolarWinds hack, Turla

How the Russian hacking group Cozy Bear, suspected in the SolarWinds breach, plays the long game

Russian-speaking hackers target Russian organizations with industrial spying tools

Before targeting Belarus, Eastern Europe-focused hackers flew under the radar

How spies used LinkedIn to hack European defense companies

‘Turla’ spies have been stealing documents from foreign ministries in Eastern Europe, researchers find

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics