23 May 2023

Turla Disrupted: What Does That Mean for Russian Cyber Operations?

EMILIO IASIELLO

On May 9, 2023, the U.S. Justice Department issued a press release that its Operation MEDUSA, along with allied country support, disrupted a Russian-operated global computer network infrastructure that has been conducting hostile cyber activities for nearly 20 years. Attributed to Russia’s Federal Security Service’s (FSB) 16th Center, the activity dubbed “Turla” has implemented some of the more sophisticated malware in operations that have targeted hundreds of targets in at least 50 countries, focusing on high-value organizations such as government institutions, media, and any other entity of interest to the Russian government. Some of the more notable victims have been the German Bundestag and the Ukrainian Parliament in 2014, and France’s TV5Monde in 2015, as well as NATO members, among others.

The “Snake” malware is an incredibly complex piece of malware that the Turla operators have consistently updated since its emergence in 2003 to keep its performance robust and persistent. Once deployed on a victim computer, the malware typically is able to run undetected by the machine’s owner. The malware enables its operators to remotely deploy other malware tools to enhance its functionality, identify potentially sensitive information, and exfiltrate it surreptitiously. Perhaps more remarkable about this worldwide operation is the fact that it utilized customized communication protocols, which allowed these actors to obfuscate their activity, and avoid detection and monitoring from victimized countries intelligence services.

While the United States spearheaded this effort, the global scale of this advanced cyber espionage group required a multilateral effort that included collaboration from Five Eyes intelligence and law enforcement partners. No detail was given as to the extent of this cooperation, but reports cite the use of a variety of “sources, methods, and partnerships” with respect to the sharing of information about foreign cyber threats. Certainly, the magnitude of disrupting such a complicated network, and the time it took to track, map, was necessary for the FBI in a show of one upmanship to create a unique tool to disable the Snake malware on infected computers without impacting the host computer’s legitimate operations.

OODA Loop Sponsor

Unsurprisingly, there has been little-to-no acknowledgement from Russia who undoubtedly is still feeling the sting of the disruption of one of – if not the – most sophisticated cyberoperations group in its arsenal. The breadth of Turla operations no doubt has been several years in the making, and while the United States and other allied countries have closely tracked Turla’s progression, there has never been a prior attempt to halt its operations. There are several possible explanations for this including the United States’ desire to keep it running so it could further study how and from where Turla operated, or it could reflect the United Sates not having a full understanding of the group’s operations until more recently when it could organize a response to it, or perhaps some combination of the two.

The likely timing of the disruption may indicate that the Five Eyes sought to preemptively dismantle Turla’s infrastructure in advance of an impending attack that they suspected of happening, perhaps in concert with Russia’s kinetic military spring offensive. Turla conducted some of the early cyber reconnaissance against specific Ukrainian targets in the days leading up to the physical invasion in order to execute follow-on surreptitious data theft to support strategic needs, according to one cybersecurity vendor. It would follow that Turla may have been ramping up its cyber espionage apparatus to ascertain Ukraine’s plans for a spring counteroffensive, as well as execute similar campaigns against European and NATO countries to glean internal discussions about the conflict and discover any changes in their positions, intent to provide additional support, or any other relevant change in policy.

The exposure of Russia’s elite cyber espionage group is a significant blow, as over the years Turla continued to display innovation in its tactics, techniques, and procedures ranging from using entirely unique malware, to rehashing existing cyber criminal infrastructure, to “hitching a ride” on existing Andromeda malware in order to connect with already compromised systems in order to deploy its own espionage-scripted malware. Still, while the disruption appears a success, it may serve only to temporarily upset current Turla activities, provided that the network was the only infrastructure that the group used. However, that seems unlikely, given the role and responsibilities of Center 16, which has been described as Russia’s signals intelligence directorate, and presumably, has a robust capability that extends beyond just one cyber infrastructure. The group has demonstrated its advanced proficiency, its surreptitious behavior, and its ability to successfully compromise high-profile intelligence targets before being detected. Russia will likely try to find where and how its network was compromised and make the necessary adjustments to reduce the risk of exposure in the future.

What does bear noting though, and serves as a message to Moscow, is the extent with which the United States and its allies dismantled such a large operation. This required the teamwork of several trusted intelligence agencies, which likely pooled and integrated their knowledge of the vast international operation to achieve such a result. Also, it shows Moscow that such cooperation can be effective when it comes to tracking and ultimately neutralizing even the most sophisticated of state cyber activities. This is not to say such an endeavor could nullify all state cyber campaigns. Those like SolarWinds demonstrate more clandestine forethought that seeks long term advantage over immediate gains, and would not be as apparent as knitting together a global network of compromised computers. But as evidenced with foreign partner support of Ukraine’s cyber defense efforts, and now with the joint allied advisory detailing Turla activities, the right collaboration can yield tangible outcomes.

Turla will re-tailor its operations in response to this setback, though this will take some time if the group doesn’t already have back up infrastructures it can use. If it didn’t before, Moscow now knows that it is going against more than Ukraine or the United States in cyberspace. It’s going against the combined coordinated efforts of some of the top cyber powers in the world. Applying lessons-learned could find this group implementing a more decentralized network for future attacks, making it more difficult to track, and perhaps even creating ones that could be “burned” without causing any significant operational impact. Turla will bounce back, and perhaps be more dangerous when it does. In this cyber bout between the West and Russia, the allied punch might have caught Russia by surprise, but based on its history and mission, Turla is hardly down for the count.

No comments: