{ "id": "ea954a8f-1bc3-48b5-8017-df02afe07158", "created_at": "2026-04-06T00:21:12.773911Z", "updated_at": "2026-04-10T03:33:36.282594Z", "deleted_at": null, "sha1_hash": "8db9acb833eb8178584fa2f03bf57c383643368e", "title": "Sophisticated 'Turla' hackers spying on European governments, say researchers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37844, "plain_text": "Sophisticated 'Turla' hackers spying on European governments,\r\nsay researchers\r\nPublished: 2014-08-07 · Archived: 2026-04-05 13:30:54 UTC\r\nOne of the most sophisticated and prolonged cyber espionage campaigns ever seen has been targeting major\r\ngovernments and militaries for more than six years, researchers have revealed.\r\nDubbed the ‘Turla’ hackers, initial intelligence had indicated western powers were key targets, but it was later\r\ndetermined embassies for Eastern Bloc nations were of more interest.\r\nEmbassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all\r\nattacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true\r\ntargets.\r\nIn one case from May 2012, the office of the prime minister of a former Soviet Union member country was\r\ninfected, leading to 60 further computers being affected, Symantec researchers said.\r\nThere were some other victims, including the ministry for health of a Western European country, the ministry for\r\neducation of a Central American country, a state electricity provider in the Middle East and a medical organisation\r\nin the US, according to Symantec.\r\nIt is believed the group was also responsible for a much-documented 2008 attack on the US Central Command.\r\nThe attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer\r\ndata, though their use of encryption across their networks has made it difficult to ascertain exactly what the\r\nhackers took. Kaspersky Lab, however, picked up a number of the attackers’ searches through their victims’\r\nemails, which included terms such as “Nato” and “EU energy dialogue”.\r\nThough attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and\r\nSymantec’s Gavin O’Gorman told the Guardian a number of the hackers appeared to be using Russian names and\r\nlanguage in their notes for their malicious code. Cyrillic was also seen in use.\r\nWhether the attackers are Russian or using Russian identities, their target list and the quality of their code\r\nindicated they were almost certainly nation state sponsored, the researchers said.\r\nAs a sign of the high technical capability of the hackers, O’Gorman said they were able to spread across company\r\nnetworks very quickly as soon as they had infected one employee. In one case they were able to spread to\r\napproximately 40 machines in one organisation within a day.\r\nThey have also used zero-day vulnerabilities, previously undiscovered software flaws that have not yet been\r\nrepaired - flaws that require considerable skill, time and resource to identify.\r\nhttps://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec\r\nPage 1 of 2\n\nTurla has also been developing its own malware for years, eventually adding rootkit capabilities, which run\r\nmalicious code before the operating system loads. This kind of malware is rare, complex and very useful for\r\nspying on systems without being detected.\r\nThe hackers used two techniques to infect victims with the Turla malware, also known as Uroboros. Either they\r\nwould hack into sites they believed their targets would visit and launch malware from there, known as “watering\r\nhole” attacks, or they would send emails containing malicious links and attachments directly to individuals.\r\nOne set of attacks used fake emails claiming to have come from a military attaché at a Middle Eastern embassy,\r\ncontaining an attachment masquerading as the minutes of meetings. When clicked on the Turla malware would be\r\nthrust on to the user’s computer.\r\nKaspersky said it had seen more than 100 websites hacked by the Turla crew, including the Palestinian Authority\r\nMinistry of Foreign Affairs.\r\nThe attacks were multi-staged. Often malware called Wipbot was initially downloaded, which would do\r\nreconnaissance to determine whether the target was worth surveilling. Wipbot would then be used to download the\r\nTurla spy tool, which has far greater capability. That would then give the attackers remote access to the infected\r\ncomputer, meaning they could siphon off the relevant data and install further malware.\r\n“The current campaign is the work of a well-resourced and technically competent attack group that is capable of\r\npenetrating many network defenses,” Symantec added in its blog post.\r\nHacker makes $84k hijacking Bitcoin mining pool\r\nSource: https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec\r\nhttps://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec" ], "report_names": [ "turla-hackers-spying-governments-researcher-kaspersky-symantec" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434872, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8db9acb833eb8178584fa2f03bf57c383643368e.pdf", "text": "https://archive.orkl.eu/8db9acb833eb8178584fa2f03bf57c383643368e.txt", "img": "https://archive.orkl.eu/8db9acb833eb8178584fa2f03bf57c383643368e.jpg" } }