{ "id": "5c93122c-68ae-4a2f-91fe-8f8f9d9e59ce", "created_at": "2026-04-06T00:11:53.292837Z", "updated_at": "2026-04-10T03:33:36.199383Z", "deleted_at": null, "sha1_hash": "1098fcd3da8f46934bd4bd835d982e092ba16c54", "title": "Russian group behind 2013 Foreign Ministry hack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 566821, "plain_text": "Russian group behind 2013 Foreign Ministry hack\r\nPublished: 2016-01-13 · Archived: 2026-04-05 13:29:21 UTC\r\nThe article is more than 10 years old\r\nThe 2013 data hack at the Finnish Foreign Ministry was perpetrated by a group of Russian hackers, and was part\r\nof a wider campaign against targets in nearly fifty countries. Experts contacted by Yle have confirmed that the\r\nattack was perpetrated by the Turla group.\r\nTietoturvayritys arvioi, että Turla on iskenyt yhteensä satoihin kohteisiin lähes viidessäkymmenessä\r\nmaassa. Image: Jyrki Lyytikkä / Yle\r\n13.1.2016 13:21Updated 14.1.2016 7:58\r\nIn 2013 Finland’s Foreign Ministry had its systems hacked by what investigators described as ‘a state actor’. Now\r\nYle's sources have confirmed who was behind the attack: the Turla group of Russian-speaking hackers who\r\nperpetrated attacks on targets in more than 50 countries worldwide during the same period.\r\nStefan Tanase of Kaspersky security says that the Turla group is the premier Russian hacker organization—and it\r\ntargets ministries, embassies and militaries in Russia’s neighbours. \r\n\"We believe that the Turla group is a nation state-sponsored attacker,\" said Tanase. \"We have seen traces in their\r\nmalware and their servers, which we analyse, that point to the fact that the authors are Russian speaking and they\r\ndefinitely seem to have lot of resources to their cyber-espionage operation.\"\r\nYle has confirmed from several European sources that the 2013 attacks on the Foreign Ministry were perpetrated\r\nby the Turla group. The Foreign Ministry says that it has investigated the attacks in the light of similar actions\r\ntargeting other nation states around Russia.\r\nhttps://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548\r\nPage 1 of 2\n\n\"The typical signs in these attack tools can be observed once you get to the stage where you know what you’re\r\nlooking for and can check to see if there’s anything like that, and if there have been any changes in their tools,\"\r\nsaid Ari Uusikartano of the Foreign Ministry.\r\nUusikartano says that the attack by Turla hit most countries in western Europe. Kaspersky, which published a\r\nreport on the methods and targets of Turla (which did not at the time mention Finland) last autumn, has outlined\r\nthe methods used by the attackers.\r\nFirst, cyber spies start by gathering information about the target via sources like social media, public websites and\r\ninternal phone directories.\r\nSecond, they choose a few employees to whom they send emails which include a link to an apparently interesting\r\nwebsite, which appears to be connected somehow to the targets everyday life or area of specialization. The\r\nhackers have however embedded malware in the site concerned.\r\nThird, when the employee visits the site, the malware ends up on his or her computer.\r\nThat allows in the attacker, as happened to the Finnish Foreign Ministry in 2013. The ministry says it's learned it's\r\nlessons from this attack--but the hackers may already have moved on to a new method.\r\nSource: https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548\r\nhttps://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548" ], "report_names": [ "8591548" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434313, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1098fcd3da8f46934bd4bd835d982e092ba16c54.pdf", "text": "https://archive.orkl.eu/1098fcd3da8f46934bd4bd835d982e092ba16c54.txt", "img": "https://archive.orkl.eu/1098fcd3da8f46934bd4bd835d982e092ba16c54.jpg" } }