HomeCyber BalkansRussian FSB-Linked Turla Hackers Target French Ministries, Embassies, and Defense Organizations

Russian FSB-Linked Turla Hackers Target French Ministries, Embassies, and Defense Organizations

Published on

spot_img

France has officially attributed a prolonged cyber-espionage campaign, which has been ongoing since the 2010s, to Turla, a sophisticated hacking group linked to the 16th Center of Russia’s Federal Security Service (FSB), also known by its military unit designation, 71330. The revelations come from an extensive investigation by French authorities, who highlighted the campaign’s impact on a broad spectrum of entities within the French government. These include various ministries, diplomatic organizations, defense-related institutions, justice departments, and technology companies.

The French government’s assessment categorizes this operation as a dedicated intelligence-collection mission, with clear indications that the primary intent was not financial gain, but rather to gather sensitive information. The attackers sought to infiltrate official communications and access strategic networks, targeting critical areas of French national interest. The Cyber Crisis Coordination Center (C4), which integrates efforts from various French intelligence and cybersecurity agencies including ANSSI, COMCYBER, DGA, DGSE, and DGSI, concluded that the 16th Center is indeed responsible for the Turla operations.

France’s Foreign Ministry noted that the targeted cyber assaults included breaches of email accounts held by officials of the Ministry of the Armed Forces, underlining the sophisticated nature of this ongoing campaign. This activity was framed as a direct threat not only to French security but also to its sovereignty, accentuating the geopolitical implications of such cyber operations.

Turla, which is also known in the security community by several other names including Snake, Uroburos, and Secret Blizzard, has had a persistent presence in the cyber-espionage landscape since at least 2004. The group is notable for its effective blending of custom malware with publicly available tools, allowing it to infiltrate a wide range of operating environments, including Windows, Linux, and macOS. They have shown proficiency in accessing email platforms, enterprise applications, and internet-facing servers, making them a formidable opponent in the realm of cybersecurity.

The investigation by French authorities traced instances of Turla’s activities back to 2014 when investigations first uncovered the targeting and compromise of ministerial entities using Uroburos malware. Since 2017, there have been repeated breaches involving the email accounts of officials within the Ministry of the Armed Forces, indicating that the threat posed by Turla remains active, particularly against ministries and organizations under their jurisdiction.

In 2018, Turla was implicated in compromising the network of the French Embassy in Moscow, an operation that involved extensive network reconnaissance and data exfiltration. This particular incident represents a persistent trend in Turla’s targeting strategy, as seen with a notable attack aimed at a French technology company that same year. The group utilized the compromised machines not just as targets, but as relay infrastructure to further their espionage objectives.

This aligns with broader patterns of targeted cyber activity reported globally, including a significant campaign highlighted by Microsoft in 2025, which examined how Turla targeted foreign embassies in Moscow using adversary-in-the-middle techniques. Additionally, in 2019, the group exploited a SharePoint vulnerability at a justice entity that managed a continuing-education service, potentially compromising sensitive information belonging to thousands of users.

Turla employs a variety of techniques to initiate their attacks, utilizing spear-phishing, watering-hole attacks, and exploiting vulnerabilities in business applications, along with zero-day exploits. In many instances, the group has chained vulnerabilities together to deepen their access and ensure persistent entry into high-value networks.

Their malware arsenal is equally extensive, featuring tools such as Epic, ComRAT, Carbon, Mosquito, Penquin, Gazer, Crutch, TinyTurla, LightNeuron, Capibar, and Kazuar. Kazuar, particularly, has been a multi-platform backdoor active since 2016, reflecting Turla’s ability to innovate and update established tools rather than abandon them.

To obfuscate their operations, Turla frequently employs methods such as using compromised servers, hijacking legitimate websites, and leveraging peer-to-peer relay systems for command-and-control purposes. Moreover, they have shown a tendency to repurpose infrastructure associated with other state-sponsored or criminal actors to enhance their stealth.

The European Union has echoed France’s concerns, identifying the FSB’s 16th Center as a controlling entity over multiple cyber-threat groups. The campaign has garnered condemnation from France as part of a broader narrative surrounding ongoing Russian espionage activities targeting Ukraine, NATO members, and other EU states.

This public attribution marks a crucial step in a wider European initiative to impose diplomatic and political costs on state-sponsored cyber operations. For organizations involved in governmental, defense, and advanced technology sectors, this development highlights the necessity of monitoring their email infrastructures and application vulnerabilities while actively hunting for signs of Turla-related malware. The persistent threat posed by such sophisticated actors underscores the vital need for robust cybersecurity measures to protect sensitive information and maintain national security.

Source link

Latest articles

Federal AI Projects Receive Priority in TMF Funding Initiative

TMF Accelerates AI and Permitting Initiatives As Deadline Looms In a strategic move, the U.S....

Novel OAuth Client ID Spoofing Technique Aims at Cloud Environments

Cybercriminals Exploit OAuth Client ID Spoofing to Target Cloud Environments Recent warnings from cybersecurity experts...

EU and UK Sanction Russian National Hackers

Governments Respond to Russian Cyber Aggression Targeting Polish Power Grid In a significant move, the...

ESET H1 2026 Report on Major Data Breaches

Title: ESET Report Unveils Sophisticated Cyber Threat Landscape for H1 2026 The recently released ESET...

More like this

Federal AI Projects Receive Priority in TMF Funding Initiative

TMF Accelerates AI and Permitting Initiatives As Deadline Looms In a strategic move, the U.S....

Novel OAuth Client ID Spoofing Technique Aims at Cloud Environments

Cybercriminals Exploit OAuth Client ID Spoofing to Target Cloud Environments Recent warnings from cybersecurity experts...

EU and UK Sanction Russian National Hackers

Governments Respond to Russian Cyber Aggression Targeting Polish Power Grid In a significant move, the...