> For the complete documentation index, see [llms.txt](https://docs.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vectra.ai/operations/detection-specific-guidance/turla-and-snake-malware.md). # Turla and Snake malware Vectra’s behavioral coverage is prepared to detect the types of techniques that the threat group known as Turla has been known to perform in the context of an attack. It was recently announced that the United States, through an FBI operation codenamed Medusa, disrupted the “Snake” malware attributed to a unit of the Federal Security Service of the Russian Federation known as Turla. Turla had used the Snake malware to create a peer-to-peer network that routes data exfiltrated from target systems back to Turla operators in Russia and execute other objectives during a compromise. While actions were taken by the US government to disable the “Snake” malware, it is advised that organizations who may have been victims of the infection should remain cautious as other malware may have been installed alongside “Snake,” and any exploitable infrastructure that led to the malware being deployed may still remain. A multi-national advisory was issued alongside the notice of the malware’s disruption that details artifacts and capabilities of the “Snake” malware. Included in that advisory are several Suricata rules which can be deployed using Vectra Match. The broad set of MITRE ATT\&CK tactics and techniques associated with Turla have been well documented over the years and are well covered by Vectra’s behavioral-based threat detection coverage. This coverage applies to both actions that would have been executed by the “Snake” Malware as well as other malware and credentials leveraged by an attacker. Notable alerts related to the techniques known to be used by Turla, including Command and Control via the Peer-To-Peer, Hidden DNS Tunnel, Hidden HTTPS and HTTP Tunnel alerts, Discovery from Port Scan, Port Sweep lateral movement with credentials via Privilege Access Analytics or payloads via Shell Knocker and Exfiltration from Smash & Grab. The attached PDF contains a full break of how Vectra’s coverage maps to the MITRE ATT\&CK techniques associated with Turla. ### Attachments {% file src="/files/MOdKh5tSWqjP7qt0HweH" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.vectra.ai/operations/detection-specific-guidance/turla-and-snake-malware.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.