Turla Hackers Come Back With New Attacks on Organizations in UK and Post-Soviet States

Turla is a group of cyber criminals who target various government, military, and other institutions alike from which they seek to steal valuable information. It appears to be the hackers are mostly after organizations in Europe or United States. According to the United Kingdom’s National Cyber Security Centre (NCSC), there were other attacks from the same hackers in the past as well. However, the recent events revealed these people were able to update some of their previously used malicious applications called Neuron and Nautilus, and as a result, the infections might now be capable of entering systems undetected. Naturally, the malware from Turla is a massive threat to all targeted organizations, but hopefully, the computer security specialists will find a way to defend systems from such attacks. As for more information on the mentioned hackers and the threats they use, we encourage our readers to review the rest of this article.


To begin with, some sources say Turla hackers made their first appearances back in 2007. It is also believed the group members were behind the attacks against RUAH Swiss Defence Company, the United States Central Command, and some other organizations functioning in Europe and the United States. Moreover, according to the ESET researchers, these hackers have a large toolset, and the most advanced malicious applications are used only on devices containing the most valuable or interesting data to these cyber criminals. Most of the attacks are made on computers running Windows, although the group is known to target macOS, Linux, and other operating systems.

Talking about the attack on organizations in the UK it looks like it was discovered in November 2017. As said earlier, the cyber criminals used two infections called Neuron and Nautilus. In addition, they employed an old rootkit called Snake; with them, they targeted mail and web servers. All of the three mentioned tools can be used to steal sensitive data, for internal network operations, onward attacks on other organizations, etc. Probably after some time, Turla hackers realized these tools might not be as effective as they were earlier since they are already known to various cyber security institutions. It means the attacks could be predicted. Such scenario seems quite realistic given the NSCS members identified a new variant of Neuron malware only a few days later after the first articles warning about possible Turla attacks appeared in the press. In their report posted on January 18, 2018, the NSCS claim to have encountered a new Neuron variant that was modified “to evade previous detection methods.”

Furthermore, ESET specialists have recently discovered other Turla’s group attacks. It is said this time the cyber criminals were after various institutions in the post-Soviet countries, such as embassies or consulates. Apparently, the targeted computers’ users were tricked into installing malicious applications without even realizing it. What is even worse, this time Turla’s created malware managed to perfectly impersonate legitimate applications, such as Adobe Flash Player, making it extremely difficult to realize something is not right. To be more precise when downloading the infected installer it looks as if it is being downloaded from adobe.com, which is the legitimate Adobe Flash Player distribution website.

Luckily, the ESET researchers do not think the cyber criminals’ created malware managed to taint any of the legitimate Adobe Flash updates, corrupt its download web page, or exploit possible vulnerabilities. However, this only confirms that the threat from these hackers only continues to grow. What’s more, these recent attacks not only confirm the hackers’ in question capability of performing sophisticated attacks but also their ability to expand their knowledge and employ more dangerous tools. Unfortunately, as their true identities remain to be hidden there is not knowing how many attacks they will yet initiate. Therefore, it is only natural that the targeted institutions are advised to watch out for the malicious applications from Turla group, even though it might be a difficult task. In other words, while cyber criminals are evolving with their attacks, their victims should keep searching for ways to defend their systems as well.


  1. Advisory: Turla group malware. The United Kingdom’s National Cyber Security Centre.
  2. Diplomats in Eastern Europe bitten by a Turla mosquito. WeLiveSecurity.
  3. Tomáš Foltýn. ESET research: Appearances are deceiving with Turla’s backdoor-laced Flash Player installer. WeLiveSecurity.
  4. Martin Beltov. Turla Group Uses a New Dangerous Malware. Best Security Search.