Turla Hackers Exploited SharePoint Flaw in Attack Affecting Thousands of French Users
Russian-linked Turla hackers exploited a Microsoft SharePoint vulnerability during a 2019 attack on a French justice-sector organization, according to a newly published government investigation.
The affected server hosted a continuing education service for personnel. Investigators concluded that the attackers may have gained access to information connected to several thousand user accounts.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
France’s Cyber Crisis Coordination Center detailed the incident in a new report on Turla attacks against French organizations. The document does not name the affected organization or identify the SharePoint vulnerability that Turla exploited.
SharePoint attack exposed information linked to thousands of accounts
French authorities became aware of the compromised justice-sector server in 2019. Turla operators exploited a flaw related to SharePoint and installed malware on the system.
The investigation found that the attackers potentially gained access to information from several thousand user accounts. However, the report does not confirm that Turla obtained every password or directly took control of all those accounts.
The disclosure forms part of a wider French investigation into cyberespionage operations attributed to the 16th Center of Russia’s Federal Security Service, or FSB. France specifically linked the activity to Unit 61240, which authorities say handles intelligence and offensive cyber operations targeting the country.
| Incident | Details disclosed by France |
|---|---|
| Year detected | 2019 |
| Affected sector | French justice sector |
| Compromised service | A server hosting continuing education services for personnel |
| Initial access | Exploitation of an unspecified SharePoint-related vulnerability |
| Potential exposure | Information associated with several thousand user accounts |
| Attributed group | Turla, linked by French authorities to the FSB’s 16th Center |
France attributes Turla operations to Russia’s FSB
France said the Turla intrusion set has operated since at least 2004 and has conducted intelligence-gathering campaigns against strategic organizations and individuals around the world.
In an accompanying formal attribution statement, the French Foreign Ministry condemned Russian cyberespionage operations targeting the country’s strategic interests. It said Unit 61240 had targeted France through persistent malicious activity over several years.
The French government connected Turla to attacks involving ministries and organizations in the diplomatic, defense, justice, research, and technology sectors. Some victims represented final espionage targets, while attackers used others as relays within Turla’s infrastructure.
Turla also targeted French ministries and defense research
The SharePoint incident was one of several Turla-linked compromises described by investigators. French authorities said the operation had targeted government and private organizations since the 2010s.
Known French targets and incidents include:
- Ministerial organizations compromised with Uroburos malware in 2014.
- Email accounts belonging to officials at the Ministry of the Armed Forces since at least 2017.
- The French Embassy in Moscow’s Foreign Ministry network in 2018.
- Machines at a French technology organization that attackers converted into relay infrastructure in 2018.
- The justice-sector SharePoint server compromised in 2019.
- Several intermediate French victims compromised between 2019 and 2025.
- An advanced technology organization targeted by suspected Turla activity in 2025.
France also said a February 2025 attack targeted a research institute working on sensitive technologies for the French defense industry. That intrusion led to the theft of a significant volume of data.
The French attribution statement also linked Turla to attacks against Ministry of the Armed Forces email accounts and the French diplomatic network in Moscow.
Compromised organizations can become hidden attack relays
French investigators divided Turla’s victims into two groups. Final-stage victims hold information that the attackers want to steal, while intermediate victims provide infrastructure for reaching other targets.
An intermediate victim may have no direct connection to government intelligence or defense work. Turla can compromise an ordinary business, association, website, or individual device and use it to conceal command-and-control traffic.
This technique allows malicious activity to appear as if it comes from a legitimate French or European system. It can also make attribution harder and prevent defenders from seeing the true path between the attackers and their main target.
| Victim type | Purpose in a Turla operation |
|---|---|
| Final-stage victim | Provides government, diplomatic, defense, research, or technology information for espionage. |
| Intermediate victim | Acts as a relay, command server, or other part of the attackers’ hidden infrastructure. |
Turla uses custom malware and publicly available tools
The group maintains a large malware collection that includes Uroburos, also known as Snake, as well as Epic, ComRAT, Carbon, Mosquito, Gazer, Crutch, TinyTurla, LightNeuron, Capibar, and Kazuar.
Kazuar has remained in use in 2026 after receiving several updates since its first known deployment in Turla campaigns around 2016. The cross-platform backdoor can support long-term intelligence collection on compromised systems.
Turla operators also use common offensive security tools when they meet an operation’s needs. The French report identifies Mimikatz and Metasploit among the publicly available tools associated with the group.
How Turla gains access to targeted networks
Turla does not depend on one initial infection method. Its operators change tactics based on the target, available infrastructure, and weaknesses they can exploit.
Observed initial access techniques include:
- Spearphishing emails carrying malicious files or links.
- Watering-hole attacks that compromise websites likely to attract intended victims.
- Exploitation of internet-facing business applications.
- Compromise of routers and other network equipment.
- Use of known vulnerabilities and previously unknown zero-day flaws.
- Attack chains combining several vulnerabilities.
The group has targeted Windows, Linux, and macOS systems. Its operations have also affected Outlook, Microsoft Exchange, browsers, business applications, and web servers, according to the CERT-FR Turla investigation.
What organizations should do after the disclosure
The historical SharePoint incident shows why organizations must patch internet-facing collaboration servers quickly. A vulnerable public service can expose far more data than the contents stored directly on the compromised machine.
Security teams should also consider whether attackers could have used a server as an intermediate relay. Finding no obvious data theft does not necessarily mean the intrusion had little value to the attackers.
Organizations can reduce their exposure by taking the following steps:
- Install security updates for SharePoint and all other externally accessible applications.
- Remove unsupported server versions and disable services that the organization no longer needs.
- Restrict administrative access through multifactor authentication and trusted network locations.
- Review authentication records for unusual logins, session creation, and privilege changes.
- Monitor servers for unexpected web shells, scheduled tasks, services, and outbound connections.
- Investigate whether compromised systems communicated with unrelated external victims.
- Reset credentials and revoke sessions when account information may have been exposed.
- Preserve logs and forensic evidence before rebuilding an affected server.
The findings also underline the long duration of state-backed cyberespionage campaigns. A compromise detected years ago can remain relevant when investigators connect it to a larger operation and uncover the attackers’ broader objectives.
FAQ
Turla hackers exploited an unspecified SharePoint-related vulnerability on a French justice-sector server in 2019. Investigators said the attackers potentially accessed information linked to several thousand user accounts.
French investigators did not confirm that Turla directly took control of thousands of accounts. They said the attackers may have accessed information associated with several thousand user accounts.
The French report does not identify the specific SharePoint vulnerability. It only states that Turla exploited a vulnerability related to SharePoint to install malware.
French authorities attribute Turla to the 16th Center of Russia’s Federal Security Service, particularly Unit 61240, which they say targets French interests.
Turla targets government, diplomatic, defense, justice, research, technology, education, media, and energy organizations. It also compromises unrelated systems to use them as hidden relays.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages