Turla, a cyber espionage group linked to Russia’s Federal Security Service, has been implicated in compromising French organizations by exploiting vulnerabilities in Microsoft SharePoint servers. This group, active for over two decades, is known for targeting government, diplomatic, defense, justice, and technology sectors to steal sensitive information.
Turla employs various methods to infiltrate systems, including phishing emails, infected websites, exploiting vulnerable internet-facing systems, and compromising network equipment. Their campaigns often start with seemingly innocuous files or weakly protected servers, which they use to gain deeper access into organizational networks.
Investigations by France’s Cyber Crisis Coordination Center (C4) and CERT-FR have revealed Turla’s activities against French entities. Notably, the group doesn’t limit its attacks to high-profile government networks; ordinary businesses, associations, and individuals have also been used as intermediaries in their operations. This strategy allows Turla to use compromised systems as hidden relays, making their activities harder to detect and enabling them to blend into legitimate network traffic.
In 2019, Turla compromised a server belonging to a French justice-sector organization. This server hosted a continuing-education service for staff, providing a valuable entry point into an environment connected to numerous users. By exploiting a vulnerability in Microsoft SharePoint, the attackers installed malware on the server, potentially accessing information associated with several thousand user accounts. This incident underscores how a single exposed collaboration platform can lead to widespread privacy and security issues.
Turla’s operations have affected various French ministries, diplomatic organizations, defense bodies, justice-sector entities, and technology companies since the 2010s. The group’s use of compromised systems as launch points for further attacks complicates detection efforts, as the initial victim may not be the ultimate target.
Turla is associated with custom malware families such as Uroburos (also known as Snake) and Kazuar. Researchers have noted that Kazuar has continued to evolve and remains in use as of 2026. Additionally, Turla operators utilize publicly available tools like Mimikatz and Metasploit to blend their intrusions into normal administrative activities.
Given Turla’s persistent and evolving tactics, organizations must remain vigilant. Regularly updating and patching systems, especially widely used platforms like SharePoint, is crucial. Implementing robust monitoring and incident response strategies can help detect and mitigate such sophisticated threats. The exploitation of SharePoint vulnerabilities by Turla highlights the importance of securing collaboration tools that are integral to modern organizational operations.