ASK WESTERN CYBERSECURITY intelligence analysts who their "favorite" group of foreign state-sponsored hackers is—the adversary they can't help but grudgingly admire and obsessively study—and most won't name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China's APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won't even point to Russia's notorious Sandworm hacker group, despite the military unit's unprecedented blackout cyberattacks against power grids or destructive self-replicating code.
Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.
Last week, the US Justice Department and the FBI announced that they had dismantled an operation by Turla—also known by names like Venomous Bear and Waterbug—that had infected computers in more than 50 countries with a piece of malware known as Snake, which the US agencies described as the "premiere espionage tool" of Russia's FSB intelligence agency. By infiltrating Turla's network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious setback to Turla's global spying campaigns.
But in its announcement—and in court documents filed to carry out the operation—the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB's Center 16 group in Ryazan, outside Moscow. It also hinted at Turla's incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla's Snake malware had been in use for nearly 20 years.