The Epic snake: Turla cyber-espionage campaign

Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns. When the first research on Turla/Snake/Uroburos was published, it didn’t answer one major question: how do victims get infected?

The latest Kaspersky Lab research on this operation reveals that Epic is the initial stage of the Turla victim infection mechanism.

Turla big picture:

• Epic Turla / Tavdig: The early-stage infection mechanism.
• Cobra Carbon system/ Pfinet (+others): Intermediary upgrades and communication plugins.
• Snake / Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.

Below are the The Epic Turla Operations: distribution of the top 20 affected countries by Victims IP

The “Epic” project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014.

Targets of “Epic” belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organizations and pharmaceutical companies.