‘Turla’ spies have been stealing documents from foreign ministries in Eastern Europe, researchers find

Turla has a knack for rewriting code and using it to steal state secrets.
Rather than one continued operation, Turla's espionage missions have come in waves. (Getty Images)

A notorious group of suspected Russian hackers have used a revamped tool to spy on governments in Eastern Europe and quietly steal sensitive documents from their networks, researchers said Tuesday.

The discovery shines greater light on the operations of Turla, an elite cyber-espionage group that’s been around well over a decade and is widely believed to be working on behalf of Russia’s FSB intelligence agency. It’s the latest example of Turla’s ability to write code designed to lurk on victim computers for years and extract state secrets.

Turla is “still actively developing complex and custom pieces of malware in order to achieve long-term persistence in their target’s network,” said Matthieu Faou, a malware researcher at anti-virus firm ESET, who analyzed the code.

The attacks started roughly two years ago, and hit two foreign affairs ministries in Eastern Europe and a national parliament in the Caucasus region bordering Russia, according to Faou. Using a tool they redesigned in 2017, the hackers siphoned off PDF and Word documents from a handful of computers. (It’s unclear what information the documents contained). They used a Gmail address — instead of a malicious domain that might raise suspicions — to send commands to the code they had installed on victim machines, he added.


Rather than one continued operation, the espionage has come in waves. As recently as January, the hackers were exfiltrating documents from one of the foreign ministries, Faou said.

“The code is…very specific to Gmail and we haven’t seen any other version of [the remote hacking tool] able to use another email provider,” he wrote in a white paper.

It’s a page out of an espionage book that Turla has been following for years: using custom code to gather valuable information on their adversaries. Turla’s tools are associated with a damaging breach of U.S. military networks in the mid-to-late 1990s, and an attack on U.S. Central Command in 2008. More recently, they have wormed their way into government agencies across Europe and in former Soviet republics like Armenia.

That level of spying requires a “large arsenal of malware” that the group continues to hone, according to Faou. ESET declined to name the Eastern European governments that were victimized by Turla. Like other victims, they appear to be narrowly targeted for the secrets they hold, and have struggled to repel the attackers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts