The Underground History of Turla, Russia’s Most Ingenious Hacker Group

Ask Western cybersecurity intelligence analysts who their “favorite” group of foreign state-sponsored hackers is—the adversary they can’t help but grudgingly admire and obsessively study—and most won’t name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China’s APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won’t even point to Russia’s notorious Sandworm hacker group, despite the military unit’s unprecedented blackout cyberattacks against power grids or destructive self-replicating code.

Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.

Last week, the US Justice Department and the FBI announced that they had dismantled an operation by Turla—also known by names like Venomous Bear and Waterbug—that had infected computers in more than 50 countries with a piece of malware known as Snake, which the US agencies described as the “premiere espionage tool” of Russia’s FSB intelligence agency. By infiltrating Turla’s network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious setback to Turla’s global spying campaigns.

But in its announcement—and in court documents filed to carry out the operation—the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB’s Center 16 group in Ryazan, outside Moscow. It also hinted at Turla’s incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla’s Snake malware had been in use for nearly 20 years.

In fact, Turla has arguably been operating for at least 25 years, says Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that it was Turla—or at least a kind of proto-Turla that would become the group we know today—that carried out the first-ever cyberspying operation by an intelligence agency targeting the US, a multiyear hacking campaign known as Moonlight Maze.

Given that history, the group will absolutely be back, says Rid, even after the FBI’s latest disruption of its toolkit. “Turla is really the quintessential APT,” says Rid, using the abbreviation for “advanced persistent threat,” a term the cybersecurity industry uses for elite state-sponsored hacking groups. “Its tooling is very sophisticated, it’s stealthy, and it’s persistent. A quarter-century speaks for itself. Really, it’s adversary number one.”

Throughout its history, Turla has repeatedly disappeared into the shadows for years, only to reappear inside well-protected networks including those of the US Pentagon, defense contractors, and European government agencies. But even more than its longevity, it’s Turla’s constantly evolving technical ingenuity—from USB worms, to satellite-based hacking, to hijacking other hackers’ infrastructure—that’s distinguished it over those 25 years, says Juan Andres Guerrero-Saade, a principal threat researcher at the security firm SentinelOne. “You look at Turla, and there are multiple phases where, oh my god, they did this amazing thing, they pioneered this other thing, they tried some clever technique that no one had done before and scaled it and implemented it,” says Guerrero-Saade. “They’re both innovative and pragmatic, and it makes them a very special APT group to track.”