Turla, one of the codenames given by the cyber-security industry to one of Russia's oldest and most "talented" cyber-espionage unit, has been very active in the past three years, even though their operations have not received the same media coverage of other more flashy Russian hacking outfits.
According to new research presented yesterday at the Virus Bulletin security conference held in Montreal, Canada, the group has been behind dozens of hacks around the world, operating with revamped malware and a tendency towards runtime scripting and the usage of open source tools.
"Turla was absent from the milestone DNC hack event where Sofacy [APT28] and CozyDuke [APT29] were both present, but Turla was quietly active around the globe on other projects," said Kaspersky's GReAT team in a report published shortly after the presentation.
But while APT28 and APT29's loudmouth dissemination of the DNC hacked data has led to public inquiries into their ties to Russian intelligence agencies --which eventually led to several public indictments [1, 2, 3]-- Turla has remained the same mystery as it always was.
Turla hacks are rarely covered by news media, but they always go after strategic targets in the interest of the Russian state.
The group is always very careful in their operational security, not to reveal too many hints about its operators, and they've never relied on social media diversionary tactics like the ones used by APT28 -- who created and operated the Guccifer 2.0 hacker persona and the Fancy Bears HT Twitter account in an attempt to manipulate the media and take the blame for hacks, instead of the Russian state.
But while APT28 was busy feeding international media all sorts of Russian propaganda, Turla was occupied hacking government and foreign affairs organizations, universities, news media agencies, and scientific and energy research organizations.
In its recent report, Kasperksy has listed several of the group's hacks from the past three years, including a detailed description of its revamped hacking arsenal that includes the Mosquito, New Carbon, IcedCoffee, KopiLuwak, WhiteAtlas, and WhiteBear backdoors.
According to the Moscow-based antivirus maker, Turla's Carbon and Mosquito operations focused on government and foreign affairs related organizations in Central Asia, while WhiteAtlas and WhiteBear activity also targeted foreign affairs-related organizations, but all over the globe, and not in a specific area.