All about Turla, the elusive Russian spy group hacking diplomats computers

Turla, one of Russia's most advanced and persistent cyber espionage units, is once again in the spotlight for targeting foreign diplomats and embassies — this time by exploiting local internet service providers in Moscow.

According to Microsoft Threat Intelligence, Turla — which it tracks under the codename “Secret Blizzard” — is carrying out ISP-level surveillance operations. The group is believed to operate under the control of Russia’s Federal Security Service (FSB), the successor to the Soviet-era KGB.

The FBI has been tracking Turla for years and disrupted one of its long-running malware networks in 2023. U.S. authorities say the group has been active for nearly two decades, targeting governments, journalists, and international organizations.

What is Turla?

Also known as Waterbug or Venomous Bear, Turla is a state-linked hacking collective believed to be headquartered in Russia. The group has been connected to at least 45 high-profile cyberattacks, including the 2014 German Bundestag attack, 2014 Ukrainian Parliament hacking, and France’s TV5 Monde hacking in 2015. Turla has also reportedly targeted organizations in the Middle East, especially in the energy sector.

As per Forbes, Turla uses a wide range of intrusion techniques, including:

• Spear-phishing and watering hole attacks
• Living-off-the-land tactics using native system tools
• Satellite-based command-and-control (C2) infrastructure
• Public platforms like Google Drive and Dropbox for data exfiltration
• Readily available tools such as Metasploit and PowerShell

The group is especially known for deploying “second-stage” malware — payloads that activate after the initial breach and establish a covert backdoor for long-term access and data theft, Forbes claimed in an earlier report.

"Turla is especially dangerous due to its use of advanced, next-level tactics. In recent years, the group has been observed using a unique malware called "Turla" or "KRYPTON" that can steal data from air-gapped computers not connected to the internet. The malware uses "audio exfiltration" to transmit data using the computer's speakers and microphones. The group is extremely sophisticated and can evade detection for long periods of time. In 2014, for example, Turla maintained a foothold in a European government agency's network for over two years before being discovered," the Forbes report added.