Under Review ACTIVE

Turla

Also known as: Snake, Venomous Bear, IRON HUNTER, Waterbug, Krypton, Secret Blizzard, Group 88

Affiliation Russia (FSB Center 16)

Motivation Espionage

Status active

Country Russia

First Seen 2004

Last Seen 2025

Target Sectors Government, Diplomatic, Military, Research, Media

Target Geographies Europe, Middle East, Central Asia, United States, Global

Executive Summary

Turla, also known as Snake and Venomous Bear, is a Russian state-sponsored cyber-espionage group attributed to FSB Center 16 (the Federal Security Service’s signals intelligence directorate). Active since at least 2004, Turla is one of the most technically advanced and persistent threat actors. The group conducts strategic intelligence collection against government, diplomatic, and military targets, with a primary focus on European and NATO countries.

In May 2023, the U.S. DOJ announced Operation MEDUSA, the court-authorized disruption of the Snake malware network, which had operated for nearly 20 years as Turla’s primary espionage platform. The joint CISA/FBI/NSA advisory (AA23-129A) attributed Snake to FSB Center 16 and provided technical details of the malware’s peer-to-peer C2 architecture.

Notable Campaigns

2004-2023 — Snake Malware Network

Turla operated the Snake malware platform for nearly two decades, maintaining a peer-to-peer network of infected systems across 50+ countries. Snake provided full remote access capabilities with custom encryption and covert C2 designed to evade detection by blending with normal network traffic.

2019-2020 — Hijacking Iranian APT Infrastructure

Turla was observed hijacking the C2 infrastructure of an Iranian threat group (OilRig/APT34), using their access to deploy Turla’s own tools against OilRig’s victims. This operation-on-an-operation demonstrated advanced counter-intelligence capabilities.

2020-2022 — LightNeuron Exchange Server Targeting

Turla deployed LightNeuron, a custom backdoor for Microsoft Exchange servers, enabling persistent email interception and exfiltration of communications from diplomatic and government targets.

Technical Capabilities

Turla demonstrates exceptional technical sophistication. Snake (the group’s signature implant) featured a custom peer-to-peer network for C2 relay, proprietary encryption, and kernel-level rootkit components. ComRAT (Agent.BTZ successor) uses Gmail’s web interface for C2 communications, making detection through network monitoring difficult.

LightNeuron backdoors Exchange Transport Agents to intercept, modify, and block emails at the server level. Kazuar provides modular backdoor capabilities with strong anti-forensics features. TinyTurla serves as a lightweight backup backdoor installed alongside more capable implants.

The group’s ability to hijack other threat actors’ infrastructure (the Iranian APT34 operation) demonstrates advanced counter-intelligence and technical collection capabilities beyond typical espionage groups.

Attribution

CISA advisory AA23-129A and the DOJ’s Operation MEDUSA announcement attributed Turla/Snake to FSB Center 16 with high confidence. The attribution was supported by infrastructure analysis linking Snake’s development to FSB-operated facilities, operational patterns consistent with Russian intelligence collection priorities, and cooperation between NSA, GCHQ, and European intelligence agencies.

MITRE ATT&CK Profile

Initial Access: Watering hole attacks (T1189), spearphishing (T1566), and exploitation of public-facing applications (T1190).

Persistence: LightNeuron Exchange backdoors (T1505.003), kernel rootkits, service installation (T1543.003), and backup implants (TinyTurla).

Command and Control: DNS tunneling (T1071.004), Gmail-based C2 (ComRAT), peer-to-peer relay networks (Snake), and satellite-based C2 interception.

Defense Evasion: Custom encryption, rootkit deployment (T1014), and extensive anti-forensics capabilities.