Turla Hackers Exploit SharePoint Flaw to Access Thousands of French User Accounts

Turla Hackers Exploit SharePoint Flaw to Access Thousands of French User Accounts










Turla, a long-running cyber espionage operation linked by French authorities to Russia’s Federal Security Service, has again drawn attention after investigators detailed compromises affecting French organizations.

The group has been active for more than two decades and is known for quietly stealing sensitive information from government, diplomatic, defense, justice, and technology targets.

Rather than relying on one method, Turla operators have used phishing emails, infected websites, vulnerable internet-facing systems, and compromised network equipment to gain a foothold.

Their campaigns can begin with a seemingly harmless file or a weakly protected server, then expand into deeper access across an organization’s network.

Members of France’s Cyber Crisis Coordination Center, known as C4 and CERT-FR said in a report shared with Cyber Security News (CSN) that they identified activity tied to the Turla intrusion set against French entities.

The findings show that the campaign was not limited to high-profile government networks, as ordinary businesses, associations, and individuals were also used as stepping stones in the attackers’ infrastructure.

The most serious cases involved systems holding sensitive communications and user data.

Turla has targeted Windows, Linux, and macOS environments, along with email platforms, web browsers, business applications, and web servers, giving the group a broad path into organizations that depend on common enterprise tools.

Turla Hackers Exploit SharePoint Flaw

In 2019, investigators learned that Turla operators had compromised a server belonging to a French justice-sector organization.

The server hosted a continuing-education service for staff, making it a valuable point of entry into an environment connected to a large number of users.

The attackers exploited a vulnerability connected to Microsoft SharePoint and installed malware on the affected server.

C4 investigators concluded that the operation may have given the attackers access to information associated with several thousand user accounts, underlining how one exposed collaboration platform can create a much wider privacy and security problem.

Turla-linked operations have affected French ministries, diplomatic organizations, defense bodies, justice-sector entities, and technology companies since the 2010s.

The report also describes intermediate victims whose systems were taken over and reused as hidden relays for later attacks.

This approach makes an incident harder to spot because a compromised organization may not be the attackers’ final target.

A server, website, or device can be turned into a temporary launch point, helping operators blend into legitimate network traffic while they pursue information from another victim.

A Persistent Espionage Operation

Turla is associated with a collection of custom malware families, including Uroburos, also called Snake, and Kazuar.

Researchers noted that Kazuar has continued to evolve and remained in use in 2026, while Turla operators also use publicly available tools such as Mimikatz and Metasploit when they help the intrusion blend into normal administrative activity.

The group’s activity has continued against Ukraine, NATO countries, and European Union member states during Russia’s war against Ukraine.

French investigators said the operations support intelligence collection, especially against government institutions, defense organizations, and technology-related targets that could provide strategic insight.

Turla has also shown an ability to combine several weaknesses in a single intrusion chain.

In addition to exploiting software flaws, operators have used spearphishing and watering-hole attacks that lure victims into downloading files presented as legitimate software, raising the risk for users who trust familiar-looking websites or documents.

The infrastructure behind these operations is designed to conceal the people operating it.

Investigators said Turla has used compromised or rented servers, websites running content-management systems, satellite communications, and networks of already infected machines to manage commands and retrieve stolen information.

For defenders, the case reinforces the importance of applying security updates quickly, especially to internet-facing SharePoint servers and other public services.

Organizations should also review account activity, investigate unusual server behavior, limit administrative access, and assess whether compromised systems may have been used as relays in a larger operation.

The French findings also show why a breach should not be treated as an isolated technical fault.

When attackers gain access to a shared service used by thousands of people, the possible exposure can extend well beyond the original server and affect communications, identities, internal records, and future targeting opportunities.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

The post Turla Hackers Exploit SharePoint Flaw to Access Thousands of French User Accounts appeared first on Cyber Security News.






Tushar Subhra Dutta





Go to cyber-security-news





Posted

in

, ,

by