GBHackers

Russian FSB-Linked Turla Hackers Target French Ministries, Embassies, and Defense Entities


France has publicly attributed a long-running cyber-espionage campaign targeting government, diplomatic and defence-linked organisations to Turla, an intrusion set associated with the 16th Center of Russia’s Federal Security Service (FSB), also known as military unit 71330.

French authorities said the operation has affected entities across the French state since the 2010s, including ministries, diplomatic organizations, defense-sector bodies, justice institutions, and technology companies.

The targeting profile indicates a sustained intelligence-collection mission rather than financially motivated cybercrime, with attackers seeking access to official communications, strategic networks and sensitive information.

The Cyber Crisis Coordination Center (C4), which brings together ANSSI, COMCYBER, DGA, DGSE and DGSI, assessed that the 16th Center operates Turla.

France’s Foreign Ministry said the FSB specifically targeted email accounts belonging to Ministry of the Armed Forces officials, framing the campaign as malicious activity directed against French national interests.

Turla, also tracked by the security industry as Snake, Uroburos, Secret Blizzard and other aliases, has been active in cyber espionage since at least 2004.

Its operators combine bespoke implants with widely available offensive tools, enabling them to compromise Windows, Linux and macOS environments access, as well as email platforms, browsers, enterprise applications and internet-facing servers.

French investigators identified the targeting and compromise of ministerial entities using Uroburos malware in 2014.

Since at least 2017, Turla operators have compromised email accounts of officials at the French Ministry of the Armed Forces, and authorities assess that the threat remains active against the ministry and organisations under its authority.

In 2018, Turla compromised the network of the French Embassy in Moscow, where operators performed network reconnaissance and exfiltrated data.

CERT issued on July 13, 2026, was accompanied by coordinated statements from France and the European Union, underscoring the strategic significance of the activity.

Russian FSB-Linked Turla Hackers

The actor also compromised machines belonging to a French technology-sector organisation in 2018, using them as relay infrastructure rather than as final espionage targets.

The incident is consistent with Turla’s continued focus on diplomatic missions, including a campaign reported by Microsoft in 2025 targeting foreign embassies in Moscow through adversary-in-the-middle techniques.

In 2019, it exploited a SharePoint vulnerability at a justice-sector entity hosting a continuing-education service, potentially gaining access to information linked to several thousand user accounts.

Turla uses spearphishing, watering-hole attacks, compromised network equipment, vulnerable business applications and zero-day exploits for initial access.

In some operations, it chained multiple vulnerabilities to deepen access and sustain persistence inside high-value networks.

Its malware arsenal includes Epic, ComRAT, Carbon, Mosquito, Penquin, Gazer, Crutch, TinyTurla, LightNeuron, Capibar and Kazuar.

Kazuar, a multi-platform backdoor in use by Turla since 2016, remains active in 2026, highlighting the group’s ability to update established tooling rather than abandon proven implants.

To frustrate attribution and detection, Turla has used compromised or rented servers, hijacked websites and WordPress instances, peer-to-peer relay systems, and satellite communications for command-and-control or data retrieval.

The group is also known to repurpose infrastructure and capabilities connected to other state-sponsored or criminal threat activity.

The EU said it was exposing the FSB’s 16th Center as controlling multiple cyber-threat groups, while France condemned the campaign as part of ongoing Russian espionage activity against Ukraine, NATO members and EU states.

The public attribution reinforces a wider European effort to impose diplomatic and political costs on state-backed cyber operations.

For defenders, the disclosure prioritises monitoring of government and defence email infrastructure, SharePoint and externally exposed applications, alongside hunting for Turla-linked malware and suspicious relay activity.

Organisations supporting diplomatic, defence and advanced-technology functions should treat the actor as a persistent threat capable of exploiting both zero-day vulnerabilities and ordinary weaknesses in identity, patching and endpoint security.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide



Source link