Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > Turla Disrupted: What Does That Mean for Russian Cyber Operations?

On May 9, 2023, the U.S. Justice Department issued a press release that its Operation MEDUSA – along with allied country support – disrupted a Russian-operated global computer network infrastructure that has been conducting hostile cyber activities for nearly 20 years.  Attributed to Russia’s Federal Security Service’s (FSB) 16th Center, the activity dubbed “Turla” has implemented some of the more sophisticated malware in operations, with hundreds of targets in at least 50 countries, focusing on high-value organizations such as government institutions, media, and any other entity of interest to the Russian government.  Some of the more notable victims have been the German Bundestag and the Ukrainian Parliament in 2014, and France’s TV5Monde in 2015, as well as NATO members, among others.

The “Snake” malware is an incredibly complex piece of malware that the Turla operators have consistently updated since its emergence in 2003 to keep its performance robust and persistent.  Once deployed on a victim computer, the malware typically is able to run undetected by the machine’s owner.  The malware enables its operators to remotely deploy other malware tools to enhance its functionality, identify potentially sensitive information, and exfiltrate it surreptitiously.  The more remarkable thing about this worldwide operation is the fact that it utilized customized communication protocols, which allowed these actors to obfuscate their activity, and avoid detection and monitoring from victimized countries’ intelligence services.

While the United States spearheaded this effort, the global scale of this advanced cyber espionage group required a multilateral effort that included collaboration from Five Eyes intelligence and law enforcement partners.  No detail was given as to the extent of this cooperation, but reports cite the use of a variety of “sources, methods, and partnerships” with respect to the sharing of information about foreign cyber threats.  

Certainly, the magnitude of disrupting such a complicated network, and the time it took to track, and map, made it necessary for the FBI – in a show of one-upmanship – to create a unique tool to disable the Snake malware on infected computers without impacting the host computer’s legitimate operations.

Not surprisingly, there has been little-to-no acknowledgment from Russia, who undoubtedly is still feeling the sting of the disruption of one of – if not the – most sophisticated cyberoperations group in its arsenal.  The breadth of Turla operations no doubt has been several years in the making, and while the United States and other allied countries have closely tracked Turla’s progression, there has never been a prior attempt to halt its operations.  There are several possible explanations for this, including the United States’ desire to keep it running so it could further study how and from where Turla operated. Or it could reflect the United States not having a full understanding of the group’s operations until more recently when it could organize a response to it. Or perhaps some combination of the two.

The likely timing of the disruption may indicate that the Five Eyes sought to preemptively dismantle Turla’s infrastructure in advance of suspecting an impending attack (perhaps in concert with Russia’s kinetic military spring offensive). Turla conducted some of the early cyber reconnaissance against specific Ukrainian targets in the days leading up to the physical invasion (as a way of executing follow-on surreptitious data theft to support strategic needs, according to one cybersecurity vendor).  It would follow that Turla may have been ramping up its cyber espionage apparatus to ascertain Ukraine’s plans for a spring counteroffensive, as well as execute similar campaigns against European and NATO countries to glean internal discussions about the conflict, discover any changes in their positions, intent to provide additional support – or any other relevant change in policy.

The exposure of Russia’s elite cyber espionage group is a significant blow, as over the years Turla continued to display innovation in its tactics, techniques, and procedures ranging from using entirely unique malware, to rehashing existing cyber criminal infrastructure, to “hitching a ride” on existing Andromeda malware in order to connect with already compromised systems in order to deploy its own espionage-scripted malware.  

Still, while the disruption appears a success, it may serve only to temporarily upset current Turla activities, provided that the network was the only infrastructure that the group used.  However, that seems unlikely, given the role and responsibilities of Center 16, which has been described as Russia’s signals intelligence directorate, and presumably, has a robust capability that extends beyond just one cyberinfrastructure.  The group has demonstrated its advanced proficiency, its surreptitious behavior, and its ability to successfully compromise high-profile intelligence targets before being detected.  Russia will likely try to find where and how its network was compromised and make the necessary adjustments to reduce the risk of exposure in the future.

What does bear noting though, and serves as a message to Moscow, is the extent to which the United States and its allies dismantled such a large operation.  This required the teamwork of several trusted intelligence agencies, which likely pooled and integrated their knowledge of the vast international operation to achieve such a result.  Also, it shows Moscow that such cooperation can be effective when it comes to tracking and ultimately neutralizing even the most sophisticated of state cyber activities.  

This is not to say such an endeavor could nullify all state cyber campaigns.  Those like SolarWinds demonstrate more clandestine forethought that seeks long-term advantage over immediate gains and would not be as apparent as knitting together a global network of compromised computers.  But as evidenced by foreign partner support of Ukraine’s cyber defense efforts, and now with the joint allied advisory detailing Turla activities, the right collaboration can yield tangible outcomes.

Turla will re-tailor its operations in response to this setback, though this will take some time if the group doesn’t already have backup infrastructures it can use.  If it didn’t before, Moscow now knows that it is going against more than Ukraine or the United States in cyberspace.  It’s going against the combined coordinated efforts of some of the top cyber powers in the world.  

Applying lessons learned could find this group implementing a more decentralized network for future attacks, making it more difficult to track, and perhaps even creating ones that could be “burned” without causing any significant operational impact.  Turla will bounce back, and perhaps be more dangerous when it does.  In this cyber bout between the West and Russia, the allied punch might have caught Russia by surprise, but based on its history and mission, Turla is hardly down for the count.

Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.