Extensive Kaspersky research on the virus has unearthed linguistic evidence pointing to a Russian origin.
Seeing as only specific users are targeted, there is little doubt that this is a coordinated espionage effort, and CERT repeatedly mentioned 'special services' as those behind the virus.
Turla is spread in a number of ways - via e-mail, websites that contain malware, etc. - and in several phases. The computer of a user is initially infected with a 'demo' version of a virus, which then gets upgraded if the victim's computer is identified as potentially valuable.
In 2014 Kaspersky Lab counted several hundred computer IPs infected with the virus, distributed in more than 45 countries, with France at the top of the list.
CERT's research revealed that one way of spreading the Turla virus in Latvia was through comments on news portals.
The institution's research, carried out in the second half of 2015, identified about 100 comments that linked to infected destinations posing as news websites.
The comments were posted during a two-year period, but as news websites often delete or altogether disallow comments containing links, of course there may have been many more.
Research by Kaspersky has identified the following areas as targets of the virus.
- Ministry of interior
- Ministry of trade and commerce
- Ministry of foreign/external affairs
- Intelligence
- Embassies
- Military
- Education
- Research
- Pharmaceutical companies
