Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0010

Turla

Aliases

Uroburos, ComRAT, LightNeuron

Type

State intelligence cyberespionage group.

Target

Diplomatic Missions, Government, Military, Research Institutions

Malware

Helminth, ISMAgent, Poison Frog

Country

Russia Russia

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Turla

Who is Turla?

Turla is an elite spy group. Governments and security firms link it to Russia’s Federal Security Service (FSB).

The group has been active for around two decades. It is known for its complex and creative attacks. They are extremely careful to hide their tracks. Their primary mission is stealthy, long-term intelligence gathering on high-value government and diplomatic targets.

Common Tactics and Tools

Turla is defined by its great stealth and creativity. The group is famous for its advanced techniques to hide its operations. For example, they hijack satellite internet links to hide their control servers.

They have also been seen hacking other threat groups. They then use the other groups’ tools to launch their own malware.

Their custom malware is famously complex.

  • Snake (Uroburos): Turla’s flagship espionage platform. Snake is a kernel-mode rootkit that embeds itself deep within the operating system. It gives attackers complete and nearly invisible control of a hacked computer.
  • ComRAT: An advanced backdoor that has evolved over many years. It uses a virtual file system and communicates with its Command and Control (C2) server through legitimate services, including Gmail. This makes its traffic hard to detect.
  • LightNeuron: A specialized backdoor designed to compromise Microsoft Exchange servers. It lets Turla work directly on the mail server. They can read, change, or block emails before the user ever sees them.

How to Defend Against Turla

Defending against a threat like Turla requires advanced security. Standard methods are not enough.

  • Harden mail server infrastructure: Treat mail servers as critical assets. Strictly control who can manage them. Regularly check for malicious rules or software. Use mail security tools that connect with your stack.
  • Implement deep traffic inspection: To counter their stealthy C2 methods, use tools that can decrypt and inspect network traffic. Heavily restrict and watch all outgoing traffic for strange activity.
  • Use kernel-level monitoring: To find rootkits like Snake, you need special Endpoint Detection and Response (EDR) tools. These tools watch the core of the operating system for unauthorized changes.
  • Hunt for threats proactively: If you are a target, assume you have been breached. Actively hunt for intruders on your network. Keep your threat feeds up to date. Do not wait for an alert.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.