Why, and how, Turla spies keep returning to European government networks

Getty Images


Written by

Turla, a group of suspected Russian hackers known for pinpoint espionage operations, has used updated tools to breach the computer network of an unnamed European government organization, according to new research.

The research from consulting giant Accenture shows how, despite a large body of public data on Turla techniques, and a warning from Estonian authorities linking the hackers with Russia’s FSB intelligence agency, the group remains adept at infiltrating European government networks.

The hacking tools are tailored to the victim organization, which Accenture did not name, and have been used over the last few months to burrow into the internal network and then ping an external server controlled by the attackers.

The stealth is typical of Turla, which is known for stalking embassies and foreign affairs ministries in Europe and elsewhere for sensitive data. Turla’s tools are associated with a damaging breach of U.S. military networks in the mid-to-late 1990s, and an attack on U.S. Central Command in 2008. More recently, they have wormed their way into government agencies across Europe and in former Soviet republics like Armenia.

The group maintains an “ecosystem of efficient” tools for breaking into and moving through computer networks, Accenture researchers said in response to questions from CyberScoop. “The use of defense evasion techniques and the tailoring of tools to a specific target allows the group to reuse old tools that have been updated for the campaign at hand,” they said.

While apparently effective, the spies are still being documented by researchers, and presumably, by rival intelligence agencies.

Matthieu Faou, a malware researcher at anti-virus company ESET who tracks Turla, said the group is effective, in part, because of the lengths to which they go to obtain network access.

“They will put as much effort as is needed to compromise their targets,” Faou said. It can be difficult to keep Turla operatives out of a breached network because they swipe administrative passwords or create Windows accounts they can later use for access, he added.

-In this Story-

Accenture, ESET, espionage, Europe, FSB, Russia, security research, Turla