Request a Demo Contact Us

Turla Group

The Turla Group is a Russia-based threat actor that focuses attacks on governments and large enterprises, using legacy malware and older techniques.

The Turla Group is a Russia-based threat actor known by many names. Disambiguating these identities has busied security researchers for several years. These shifting identities of the Turla Group have included Turla Team, Uroburos, Venomous Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, and Iron Hunter. Many attacks on government and industry have been attributed to the Turla Group. In addition, their use of legacy malware and older techniques often provide the clues that lead threat researchers to identify Turla Group’s activities.

Security researchers have found that Turla Group has primarily targeted embassies and other government entities. Embassy attacks have been recorded in Germany, Belgium, Ukraine, China, Jordan, Greece, Poland, Germany, Kazakhstan, and Armenia. This focus on government has expanded to private enterprise with targets in pharmaceuticals, retail, and high technology. Turla Group has been an equal opportunity threat actor—they target almost anywhere in the world instead of only selecting targets adversarial to Russia.

The history of Turla Group attacks has included, but is not limited to:

  • A 2008 attack on the United States Central Command.
  • A 2012 attack on the prime minister of a former Soviet Union member country.
  • A 2014 attack on a Swiss defense contractor, RUAG.
  • A 2017 series of attacks infected diplomatic, recreational, and scientific websites with malware.
  • A 2017 attack targeted the G20 attendees.
  • A 2018 attack targeted the German government’s computer networks and infrastructure. The Turla Group also hit the German Federal Foreign Office and the Federal College of Public Administration.
  • Over time, the Turla Group has targeted various United States government agencies, contractors, and businesses.

Turla initially utilizes watering hole attacks, supply-chain compromise, and spear-phishing lures to access a targeted network. Custom malware that links back to Turla’s C&C servers often follows these tactics. Once compromised, Turla Group utilizes other tools to perform reconnaissance (and move laterally) within the compromised organization. They have a well-matured suite of malware that can be used to address most of the situations they encounter.


Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

Get started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.