Threat Actor Profile
High
APT
Description
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Confidence Score
Known Aliases
Turla
IRON HUNTER
Group 88
Waterbug
WhiteBear
Snake
Krypton
Venomous Bear
Secret Blizzard
BELUGASTURGEON
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (68)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Turla',
'IRON HUNTER',
'Group 88',
'Waterbug',
'WhiteBear',
'Snake',
'Krypton',
'Venomous Bear',
'Secret Blizzard',
'BELUGASTURGEON'],
'created': '2017-05-31T21:31:49.816Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Turla](https://attack.mitre.org/groups/G0010) is a cyber '
"espionage threat group that has been attributed to Russia's "
'Federal Security Service (FSB). They have compromised '
'victims in over 50 countries since at least 2004, spanning a '
'range of industries including government, embassies, '
'military, education, research and pharmaceutical companies. '
'[Turla](https://attack.mitre.org/groups/G0010) is known for '
'conducting watering hole and spearphishing campaigns, and '
'leveraging in-house tools and malware, such as '
'[Uroburos](https://attack.mitre.org/software/S0022).(Citation: '
'Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: '
'CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan '
'2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake '
'Malware May 2023)',
'external_references': [{'external_id': 'G0010',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0010'},
{'description': '(Citation: Accenture HyperStack '
'October 2020)',
'source_name': 'BELUGASTURGEON'},
{'description': '(Citation: CrowdStrike VENOMOUS '
'BEAR)',
'source_name': 'Krypton'},
{'description': '(Citation: CrowdStrike VENOMOUS '
'BEAR)(Citation: ESET Turla '
'PowerShell May 2019)(Citation: Talos '
'TinyTurla September 2021)',
'source_name': 'Snake'},
{'description': '(Citation: CrowdStrike VENOMOUS '
'BEAR)(Citation: Talos TinyTurla '
'September 2021)',
'source_name': 'Venomous Bear'},
{'description': '(Citation: Kaspersky Turla)',
'source_name': 'Turla'},
{'description': '(Citation: Leonardo Turla Penquin '
'May 2020)',
'source_name': 'Group 88'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'Secret Blizzard'},
{'description': '(Citation: Secureworks IRON HUNTER '
'Profile)',
'source_name': 'IRON HUNTER'},
{'description': 'Accenture. (2020, October). Turla '
'uses HyperStack, Carbon, and Kazuar '
'to compromise government entity. '
'Retrieved December 2, 2020.',
'source_name': 'Accenture HyperStack October 2020',
'url': 'https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity'},
{'description': 'Based similarity in TTPs and malware '
'used, Turla and Waterbug appear to '
'be the same group.(Citation: '
'Symantec Waterbug)',
'source_name': 'Waterbug'},
{'description': 'Cisco Talos. (2021, September 21). '
'TinyTurla - Turla deploys new '
'malware to keep a secret backdoor on '
'victim machines. Retrieved December '
'2, 2021.',
'source_name': 'Talos TinyTurla September 2021',
'url': 'https://blog.talosintelligence.com/2021/09/tinyturla.html'},
{'description': 'ESET, et al. (2018, January). '
'Diplomats in Eastern Europe bitten '
'by a Turla mosquito. Retrieved July '
'3, 2018.',
'source_name': 'ESET Turla Mosquito Jan 2018',
'url': 'https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf'},
{'description': 'ESET. (2017, August). Gazing at '
'Gazer: Turla’s new second stage '
'backdoor. Retrieved September 14, '
'2017.',
'source_name': 'ESET Gazer Aug 2017',
'url': 'https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf'},
{'description': 'Faou, M. and Dumont R.. (2019, May '
'29). A dive into Turla PowerShell '
'usage. Retrieved June 14, 2019.',
'source_name': 'ESET Turla PowerShell May 2019',
'url': 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/'},
{'description': 'FBI et al. (2023, May 9). Hunting '
'Russian Intelligence “Snake” '
'Malware. Retrieved June 8, 2023.',
'source_name': 'Joint Cybersecurity Advisory '
'AA23-129A Snake Malware May 2023',
'url': 'https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf'},
{'description': "Kaspersky Lab's Global Research & "
'Analysis Team. (2017, August 30). '
'Introducing WhiteBear. Retrieved '
'September 21, 2017.',
'source_name': 'Securelist WhiteBear Aug 2017',
'url': 'https://securelist.com/introducing-whitebear/81638/'},
{'description': "Kaspersky Lab's Global Research and "
'Analysis Team. (2014, August 7). The '
'Epic Turla Operation: Solving some '
'of the mysteries of Snake/Uroburos. '
'Retrieved December 11, 2014.',
'source_name': 'Kaspersky Turla',
'url': 'https://securelist.com/the-epic-turla-operation/65545/'},
{'description': 'Leonardo. (2020, May 29). MALWARE '
'TECHNICAL INSIGHT TURLA '
'“Penquin_x64”. Retrieved March 11, '
'2021.',
'source_name': 'Leonardo Turla Penquin May 2020',
'url': 'https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf'},
{'description': 'Meyers, A. (2018, March 12). Meet '
'CrowdStrike’s Adversary of the Month '
'for March: VENOMOUS BEAR. Retrieved '
'May 16, 2018.',
'source_name': 'CrowdStrike VENOMOUS BEAR',
'url': 'https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Secureworks CTU. (n.d.). IRON '
'HUNTER. Retrieved February 22, 2022.',
'source_name': 'Secureworks IRON HUNTER Profile',
'url': 'http://www.secureworks.com/research/threat-profiles/iron-hunter'},
{'description': 'Symantec. (2015, January 26). The '
'Waterbug attack group. Retrieved '
'April 10, 2015.',
'source_name': 'Symantec Waterbug',
'url': 'https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1'},
{'description': 'WhiteBear is a designation used by '
'Securelist to describe a cluster of '
'activity that has overlaps with '
'activity described by others as '
'Turla, but appears to have a '
'separate focus.(Citation: Securelist '
'WhiteBear Aug 2017)(Citation: Talos '
'TinyTurla September 2021)',
'source_name': 'WhiteBear'}],
'id': 'intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6',
'modified': '2024-06-26T18:09:33.862Z',
'name': 'Turla',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Matthieu Faou, ESET', 'Edward Millington'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '5.1'}