Turla's Layered Deception: Hijacking Other APTs to Hide

Threat Intelligence

Turla has operated for over 20 years by weaponizing other threat actors' infrastructure, satellite uplinks, and stolen implants to layer attribution confusion into every stage of its operations.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 20, 2024 · 12 min read

Turla, attributed to Russia's Federal Security Service (FSB) Center 16 and tracked under names including Snake, Venomous Bear, and Waterbug, is arguably the most technically sophisticated persistent threat actor operating today. Active since at least 2004, the group maintains a signature tradecraft element that sets it apart from every other state-sponsored group: it deliberately hijacks the infrastructure, implants, and C2 channels of other nation-state APT groups to layer confusion into every aspect of attribution.

The Infrastructure Hijacking Doctrine

In 2019, the UK's National Cyber Security Centre (NCSC) and NSA jointly published an advisory revealing that Turla had compromised the command-and-control infrastructure of OilRig (APT34, Iran's MOIS), using it as a relay for their own operations against Middle Eastern government targets. This was not a one-off tactic. Researchers have documented Turla repurposing Andromeda botnet infrastructure in 2022, using the commodity botnet's already-infected machines to deliver their own Kopiluwak and QuietCanary implants.

Turla's hijacking of OilRig infrastructure meant that for months, victim telemetry pointed to Iranian threat actors. Any defender who stopped at the first attribution layer missed the actual threat. Attribution is a hypothesis, not a fact.

Satellite Uplink Operations

One of Turla's most documented persistence techniques involves intercepting satellite internet uplinks using DVB-S receivers to receive C2 traffic. The operator spoofs IP addresses of legitimate satellite internet subscribers, sending crafted UDP packets that the satellite receiver delivers to the target host. The C2 upstream channel uses a separate out-of-band mechanism, making traffic analysis extremely difficult: only the downstream beacon traffic traverses satellite infrastructure.

• Satellite-based C2 was documented in Turla campaigns targeting government and military organizations across the Middle East, Africa, and Central Asia
• Spoofed IP addresses belonged to legitimate DVB-S subscribers in regions with little cybersecurity visibility, complicating legal process requests
• The technique predates widespread use of encrypted messaging apps as C2 channels, demonstrating Turla's long-term investment in attribution-resistant communications
• KopiLuwak JavaScript dropper was delivered via this channel in at least two documented cases from 2017 through 2019

20-Year Persistence: The Snake Malware Ecosystem

The Snake malware framework, used by Turla since at least 2004, was the subject of a joint international advisory in 2023 following Operation MEDUSA, a coordinated FBI operation that neutralized Snake implants across multiple countries. Snake is a peer-to-peer implant network: infected hosts route traffic through each other, eliminating centralized C2 servers that could be seized or sinkholes. The framework includes a custom encrypted protocol (MARBLE) and a modular plugin architecture that has been continuously developed for two decades.

1. Snake uses a custom encrypted peer-to-peer protocol (MARBLE) designed to resist traffic analysis and DPI-based detection
2. Implants are installed as kernel-mode drivers on Windows or as shared libraries on Linux and macOS endpoints
3. The network automatically re-routes through surviving peers when nodes are taken down, achieving self-healing persistence
4. Operation MEDUSA neutralized US-based Snake infrastructure in May 2023 using a court-authorized FBI tool (PERSEUS) that sent a self-destruct command to Snake implants
5. Despite MEDUSA, Snake infrastructure in non-Five Eyes countries remained active post-operation

Recent Campaigns and Tooling

• TinyTurla-NG: a lightweight C# backdoor discovered in 2024 targeting Polish NGOs and Ukrainian entities, designed as a fallback implant when primary Snake infrastructure is disrupted
• Capibar: a .NET-based credential harvester targeting foreign embassies and ministries of foreign affairs across Europe
• HybridRAT: a cross-platform implant supporting Windows and Linux deployed against defense industry targets in 2023
• Kopiluwak: a JavaScript-based reconnaissance tool used for initial environment fingerprinting before deploying heavier implants

MITRE ATT&CK Mapping

Detection Approach

Turla's 20-year operational continuity, combined with its deliberate attribution-confusion tradecraft, makes it the reference case for sophisticated, patient state-sponsored intrusion. Defenders facing Turla cannot rely on single-source attribution or commodity IOC lists: deep behavioral analysis, kernel-level visibility, and cross-agency threat intelligence sharing are prerequisites for meaningful detection.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.