Why, and how, Turla spies keep returning to European government networks

Despite a large body of public data on Turla techniques, the suspected Russian hackers keep breaching networks.
Getty Images

Turla, a group of suspected Russian hackers known for pinpoint espionage operations, has used updated tools to breach the computer network of an unnamed European government organization, according to new research.

The research from consulting giant Accenture shows how, despite a large body of public data on Turla techniques, and a warning from Estonian authorities linking the hackers with Russia’s FSB intelligence agency, the group remains adept at infiltrating European government networks.

The hacking tools are tailored to the victim organization, which Accenture did not name, and have been used over the last few months to burrow into the internal network and then ping an external server controlled by the attackers.

The stealth is typical of Turla, which is known for stalking embassies and foreign affairs ministries in Europe and elsewhere for sensitive data. Turla’s tools are associated with a damaging breach of U.S. military networks in the mid-to-late 1990s, and an attack on U.S. Central Command in 2008. More recently, they have wormed their way into government agencies across Europe and in former Soviet republics like Armenia.


The group maintains an “ecosystem of efficient” tools for breaking into and moving through computer networks, Accenture researchers said in response to questions from CyberScoop. “The use of defense evasion techniques and the tailoring of tools to a specific target allows the group to reuse old tools that have been updated for the campaign at hand,” they said.

While apparently effective, the spies are still being documented by researchers, and presumably, by rival intelligence agencies.

Matthieu Faou, a malware researcher at anti-virus company ESET who tracks Turla, said the group is effective, in part, because of the lengths to which they go to obtain network access.

“They will put as much effort as is needed to compromise their targets,” Faou said. It can be difficult to keep Turla operatives out of a breached network because they swipe administrative passwords or create Windows accounts they can later use for access, he added.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts