threatintel
actor tracker
All actors

Turla

turla · primary source: MITRE · first observed 2003
RU · RussiaState-sponsoredHigh confidencelast cited May 8, 2023 · 3y ago

Russian state-sponsored actor publicly attributed to FSB Center 16. One of the longest-running espionage sets on record, known for the Snake (Uroburos) implant — a sophisticated peer-to-peer covert communications framework used against diplomatic, military, and research targets in NATO countries. The U.S. DOJ disrupted the Snake network in 2023 via Operation MEDUSA.

Aliases

SnakeOtherVenomous BearCrowdStrikeSecret BlizzardMicrosoftIron HunterOtherWaterbugOther

Motivations

espionage

Target sectors

governmentdiplomaticmilitaryresearch

Target countries

USDEGBFRATCHBE

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Turla
  • Russia
  • espionage
Capability
Infrastructure
Victim
  • government
  • diplomatic
  • military
  • US
  • DE
  • +1 more

MITRE ATT&CK techniques

T1071.001T1090.003T1027T1098

Tools & malware

2 entries

Timeline

2 events
  1. AnnouncementHigh2023-05-09·U.S. Department of Justice

    DOJ disrupts Snake malware network (Operation MEDUSA)

    The U.S. Department of Justice announced a court-authorized operation that disrupted the Snake malware peer-to-peer network operated by FSB Center 16 (Turla). The operation used a tool called PERSEUS to issue commands that caused Snake implants on compromised computers worldwide to overwrite themselves.

    dojdisruptionsnakefsb
  2. AdvisoryHigh2023-05-09·CISA

    Joint advisory AA23-129A: Hunting Russian Intelligence Snake Malware

    CISA, FBI, NSA, and Five Eyes partners released a joint advisory publicly attributing the Snake implant to FSB Center 16, describing the architecture of the global peer-to-peer network, and providing technical detection guidance for defenders.

    five-eyessnakefsb

Indicators of compromise

1 indicator
csv
TypeValueFirst seenSource
Name
Snake (Uroburos)
family · Snake
Sophisticated modular peer-to-peer implant attributed to FSB Center 16 (Turla). Known under multiple names — Snake, Uroburos, Turla, EkulturaFS — across ~20 years of operation. Disrupted by the U.S. DOJ's Operation MEDUSA in May 2023.
Dec 31, 2013CISA

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). Turla — actor profile. Retrieved from https://threatintel.local/actors/turla

latest cited activity · 2023-05-09 · 1 cataloged indicators