The Turla spyware trojan which was discovered in August 2014, was found to be operating and targeting governments and militaries worldwide since 2008. In fact Turla and its precursor called Epic were so powerful and stealthy that United States government had created the US Cyber Command after its discovery. Turla had been targeting municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle East and Europe. At that time Turla was found to have infected more than 500 victim IP addresses in 45 countries. The Turla APT malware works by establishing a backdoor connection to the attackers through which system information is sent in order to determine which exploits are fed to the compromised machine and ultimately where stolen data is exfiltrated. However at that time only Windows machines were found infected. Now Kaspersky has found a new sample of Turla APT which they say is upgraded version to include Linux. Baumgartner stated that the Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. Like its older sibling, its functionality gives utmost importance to hidden network communications, arbitrary remote command execution, and remote management. Kaspersky says that much of the latest Turla version code is derived from public sources and it has been stripped in size to make it leaner and meaner. Turla APT has been long suspected to be operated by a nation state rather than any cyber criminal gang. Even today the extent of its infections are not clear to authorities or the security researchers though it lead to a 14 month cleanup operation and creation of the US Cyber Command. G-Data has long held that the nation state behind Turla APT is Russia, which Russia has vehemently denied time and again.
