The Serpent: Turla

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 4

Russia (FSB)

G0010

★★★★★

risk 4/5

✦ The Serpent ✦

Turla

Snake · Uroburos · Waterbug · Venomous Bear · Krypton

GovernmentMilitaryEmbassiesDefense contractors

Active since ~1996 · Long-term espionage, Diplomatic intelligence, Counter-intelligence

The oldest of the Russian intelligence snakes. It coils around your infrastructure for years, whispering intelligence through mail protocol tunnels, moving slowly so as never to disturb the air.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1090.004

Domain Fronting

Command and Control

T1071.003

Mail Protocols

Command and Control

T1560

Archive Collected Data

Collection

T1014

Rootkit

Defense Evasion

T1584.004

Compromise Infrastructure: Server

Resource Development

T1134

Access Token Manipulation

Privilege Escalation

Notable Operations

◆Moonlight Maze (1996-1999, attributed)
◆Agent.BTZ (Pentagon USB worm, 2008)
◆Carbon malware framework (ongoing)
◆Hijacking Iranian APT34 infrastructure (2019)

Defenses

▸
DNS monitoring and filtering for tunneling behaviors
CIS Control 9 ↗
▸
USB device control and removable media policies
CIS Control 10 ↗
▸
Email header analysis and C2 traffic inspection
NIST CSF: DE.CM ↗
▸
Kernel integrity monitoring for rootkit detection
CIS Control 10 ↗

Reversed: Their Weakness

Turla's longevity is also its exposure. Malware strains linked back to Moonlight Maze-era code have allowed researchers to trace its lineage across 25 years of operations.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Destroyer Next →The Archivist

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.