Turla Hackers Exploit Critical SharePoint Flaw to Access French Accounts
Key Takeaways The Russian-linked Turla APT group has been observed exploiting a critical Microsoft SharePoint flaw to compromise French organizations. The attacks, active since the 2010s, targeted a...
Key Takeaways
- The Russian-linked Turla APT group has been observed exploiting a critical Microsoft SharePoint flaw to compromise French organizations.
- The attacks, active since the 2010s, targeted a broad range of entities, including government ministries, diplomatic bodies, defense organizations, justice-sector entities, and technology companies.
- One notable incident in 2019 involved a French justice-sector server, potentially exposing data from several thousand user accounts.
- Turla utilizes diverse initial access vectors, including phishing, compromised websites, and vulnerable internet-facing systems, often using intermediate victims as relays.
- The group employs both custom malware like Kazuar and publicly available tools such as Mimikatz and Metasploit to maintain stealth and achieve its intelligence collection objectives.
Turla, a sophisticated cyber espionage group that French authorities attribute to Russia’s Federal Security Service (FSB), has once again surfaced in new reports detailing its extensive compromise of French organizations. This long-standing advanced persistent threat (APT) operation has been active for over two decades, consistently focusing on the covert exfiltration of sensitive data from high-value targets across government, diplomatic, defense, justice, and technology sectors.
Table Of Content
The group’s methodology is characterized by its versatility, eschewing reliance on a single attack vector. Turla operators have historically leveraged a combination of spear-phishing emails, malicious websites, unpatched internet-facing systems, and compromised network infrastructure to establish initial footholds. These intrusions often begin with seemingly innocuous files or weakly secured servers, which then serve as springboards for deeper network penetration. French investigators have documented Turla’s targeting of Windows, Linux, and macOS environments, alongside common enterprise platforms such as email services, web browsers, business applications, and web servers, demonstrating a broad attack surface.
Turla Exploits SharePoint Vulnerability
In a significant incident identified in 2019, French investigators uncovered a Turla compromise involving a server belonging to a French justice-sector organization. This server, which hosted an online continuing-education service for its employees, represented a critical entry point due to its connectivity to a large user base.
The attackers exploited a vulnerability within Microsoft SharePoint on this server, subsequently deploying malware. Investigators from France’s Cyber Crisis Coordination Center (C4) and CERT-FR said in a report that this operation potentially granted the attackers access to information linked to several thousand user accounts. This incident starkly highlights how a single vulnerability in a widely used collaboration platform can escalate into a severe privacy and security breach with far-reaching implications.
A Persistent Espionage Operation
Reports shared with Cyber Security News (CSN) indicate that Turla’s campaigns extend beyond high-profile government networks, often utilizing ordinary businesses, associations, and even private individuals as intermediate stepping stones within their complex attack infrastructure. The most critical compromises involved systems handling sensitive communications and user data.
Turla is known for its bespoke malware arsenal, including prominent families such as Uroburos, also known as Snake, and Kazuar. Notably, researchers have observed the continued evolution and deployment of Kazuar as recently as 2026. Beyond custom tools, Turla operators frequently integrate publicly available penetration testing tools like Mimikatz and Metasploit into their operations, a tactic designed to help their malicious activity blend in with legitimate administrative tasks.
French investigators have confirmed that Turla-linked operations have targeted French ministries, diplomatic organizations, defense bodies, justice-sector entities, and technology companies since the 2010s. The group’s activities have persisted against Ukraine, NATO countries, and European Union member states amid Russia’s ongoing conflict with Ukraine. These operations are primarily aimed at intelligence gathering, specifically targeting government institutions, defense organizations, and technology-related entities that could yield strategic insights.
A key characteristic of Turla’s methodology is its ability to chain multiple vulnerabilities and attack techniques. Beyond exploiting software flaws, the group employs sophisticated social engineering tactics, including spear-phishing and watering-hole attacks. These methods trick victims into downloading malicious files disguised as legitimate software, posing a significant risk to users who trust familiar-looking websites or documents.
The infrastructure supporting Turla’s operations is meticulously designed to obscure the identities of its operators. Investigators have found that Turla leverages a network of compromised or rented servers, websites running various content management systems, satellite communications, and pre-infected machines to manage command-and-control (C2) communications and exfiltrate stolen data. This elaborate setup makes detection and attribution significantly more challenging, as a compromised organization may not be the ultimate target but merely a temporary relay point, allowing attackers to blend into normal network traffic while pursuing their primary intelligence objectives.
What You Should Do
- Prioritize and promptly apply all security updates, especially for internet-facing Microsoft SharePoint servers and other publicly accessible services.
- Implement robust monitoring of account activity and investigate any unusual server behavior, particularly on critical infrastructure.
- Enforce the principle of least privilege to limit administrative access to only essential personnel and systems.
- Conduct regular assessments to determine if any compromised systems within your network may have been unwittingly used as relays in broader attack campaigns.
- Educate users on identifying and reporting phishing attempts and suspicious links, even from seemingly legitimate sources.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.