Origin: 2004

Aliases: Snake, Venomous Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, Iron Hunter, MAKERSMARK, ATK13, G0010, ITG12, Blue Python, SUMMIT, UNC4210

Targeted Sectors: Government, Military, Education, Research, IT, Education, and Pharmaceuticals

Targeted Regions: Belgium, Ukraine, China, the U.S., Jordan, Greece, Kazakhstan, Armenia, Poland, Germany

Common infection vectors: Spearphishing, Watering Hole Attacks, Compromised Satellite Connections

Malware Used: Capibar, Kazuar, Snake, Mosquito, Outlook, Kopiluwak, IcedCoffee, LightNeuron, WhiteBear, WhiteAtlas, Remote Procedure Call, Meterpreter, photobased.dll, Remote Procedure Call, Neptun, QUIETCANARY/Tunnus, ComRAT, Carbon, HyperStack, Topinambour, Tavdig, Skipper, RocketMan!, Crutch, ANDROMEDA, TinyTurla, Gazer,

Motivation: Cyberespionage

Overview

Turla APT (aka Pensive Ursa, Uroburos, Snake) is a Russian-based threat group operating since at least 2004. Linked to the Russian Federal Security Service (FSB), the APT group has been able to position itself as a sophisticated and elusive adversary that orchestrates targeted and converted attacks. Turla has targeted victims across 45 countries, spanning various sectors, such as government, military, education, research, and pharmaceuticals. Notably, the threat group played an active role in the Russian-Ukraine conflict in February 2022, engaging in espionage attacks against Ukraine's defense sector.

While primarily focused on Windows machines, Turla possesses tools capable of targeting macOS and Linux systems. Turla APT was chosen to be the main focus for the 2023 MITRE ATT&CK evaluation. MITRE describes Turla as being “known for their targeted intrusions and innovative stealth.”

Infection Techniques

Turla employs a diverse range of sophisticated strategies, encompassing living-off-the-land techniques, watering hole attacks, targeted spear-phishing emails, and the exploitation of compromised satellite connections. Utilizing publicly available tools like Metasploit and PowerShell, alongside Command and Control (C2) infrastructure, such as Google Drive and Dropbox, Turla showcases versatility.

A key facet of their approach involves deploying second-stage malware post-initial infection, creating a backdoor for network access. Notably, Turla has demonstrated an exceptional level of threat sophistication, employing distinctive malware capable of extracting data from air-gapped systems through innovative audio exfiltration techniques. The actor, in 2015, exploited satellite communications, using a legitimate user's IP address to transmit stolen data via satellite. An antenna connected to their C2 server facilitated data reception.

Malware Tools and TTPs

The Turla hacking group is known for deploying an extensive array of custom-developed malware, coupled with the utilization of publicly accessible tools and the exploitation of known vulnerabilities, to accomplish its objectives.

• Snake : Active since 2003, Snake is a sophisticated modular backdoor in Turla's arsenal, demonstrating extensive capabilities, including communication protocols, a kernel module for stealth, and keylogger functionality. Operation MEDUSA disrupted Snake's activity in 2023, revealing its global reach and a high level of software development capability by its authors.

• ComRAT : Dating back to 2007, ComRAT (Agent.btz) is one of the actors’ oldest backdoors, evolving to version 4 by 2020. Deployed using PowerShell implants, such as PowerStallion, ComRAT's main objective is to steal and exfiltrate confidential documents from high-value targets, posing a long-standing threat.

• Carbon : In use since 2014, Carbon is a modular backdoor framework within the group’s toolkit. Featuring P2P communication capabilities, Carbon facilitates command distribution across infected machines on a network, demonstrating the threat actor's adaptability and persistence over several years.

• Kopiluwak : Discovered in 2016, Kopiluwak operates as a multilayered JavaScript spreader/downloader in Turla's toolkit. Used in various attacks, including a G20-themed attack in 2017, Kopiluwak gathers initial profiling information, emphasizing its role in the initial stages of compromise.

• Kazuar : Discovered in 2017, Kazuar is a .NET backdoor with a potent command set, allowing remote access and plugin loading. In 2021, ties were found between Kazuar and the SUNBURST backdoor used in the SolarWinds Operation. Pensive Ursa utilized Kazuar in a 2023 Ukrainian espionage operation, showcasing its adaptability and potential impact on targeted systems.

• HyperStack : First observed in 2018, HyperStack (SilentMoo, BigBoss) is an RPC backdoor utilized by Pensive Ursa in operations targeting government entities in Europe. Sharing similarities with Carbon, such as encryption schemes and configuration file formats, HyperStack enables control over compromised machines in a local network.

• QUIETCANARY : Pensive Ursa utilized QUIETCANARY, a lightweight .NET backdoor, since 2019, deploying it in tandem with Kopiluwak for attacks in Ukraine. With the ability to execute various commands, download payloads, and employ RC4 encryption for C2 communication, QUIETCANARY represents a concerning element in Pensive Ursa's toolkit.

• Crutch : Uncovered in December 2020, Crutch is a second-stage backdoor in Pensive Ursa's tactics, targeting European entities. Leveraging Dropbox for C2 communication, Crutch showcases the threat actor's adept use of legitimate services for nefarious purposes, highlighting the need for advanced defense strategies.

• TinyTurla : Discovered by Talos in 2021, TinyTurla is a backdoor with features like downloading additional payloads, uploading files to the C2 server, and executing other processes. Its emergence in the US, EU, and Asia underscores Pensive Ursa's global reach and ongoing threat landscape.

• Capibar : Capibar (aka DeliveryCheck or GAMEDAY) emerged in 2022 as a Turla backdoor, employed for espionage against Ukrainian defense forces. Distributed via email with malicious macros, Capibar establishes persistence through scheduled tasks, granting full control of compromised MS Exchange servers, posing a threat to critical infrastructure.

While Turla continues to use the aforementioned malware and tools, here are some other malware/backdoors it has used in the past: Mosquito, Outlook, IcedCoffee, WhiteBear, WhiteAtlas, LightNeuron, Tavdig, Skipper, RocketMan!, and ANDROMEDA.

In addition to these custom tools, Turla has been known to exploit various security vulnerabilities in popular software, such as Microsoft Windows, Adobe Flash, and Oracle Java, to gain initial access and escalate privileges within target systems.

Targeted Attacks

Turla's targets span the globe, with a notable concentration in European, Asian, and Middle Eastern countries. The countries it has affected are France, Romania, Kazakhstan, Poland, Tajikistan, Austria, Russia, the United States, Saudi Arabia, Germany, India, Armenia, Belarus, the Netherlands, Iran, Uzbekistan, and Iraq.

Turla has been implicated in several significant cyberespionage campaigns:

Moonlight Maze (1996-1998): Initiated in 1996, this early cyberespionage campaign targeted the U.S., breaching various government systems, including the US Navy, Air Force, NASA, Department of Energy, EPA, and NOAA. Researchers linked the operation to Turla in 2016, suggesting Moonlight Maze was an early manifestation of Turla.

Agent.btz (2008): This was a major attack on the U.S. Department of Defense. The Agent.btz virus infected the classified network of the DOD's US Central Command. Additionally, at least 400,000 computers across Russia and Europe were infected. This breach prompted the Buckshot Yankee initiative and the establishment of the U.S. Cyber Command.

Epic Turla: The global multistage cyberespionage campaign primarily targeted Eastern Europe. It reportedly compromised hundreds of systems across sectors in over 45 countries. The attacks used at least two zero-day exploits CVE-2013-5065 and CVE-2013-3346 and generated spearphishing e-mails with malicious PDF attachments.

WITCHCOVEN (2015): Turla compromised over 100 websites under this operation, collecting data on potential victims using web analytics and open-source tools. The injected code, known as "WITCHCOVEN," aimed to build user profiles for espionage through a persistent tracking cookie.

RUAG Espionage (2016): Swiss defense company RUAG fell victim to a sophisticated cyberespionage campaign that resulted in the theft of sensitive data related to Swiss military technology. The attack lasted for around two years and a total of 23GB of data were exfiltrated from the network.

In 2019, Turla was found running an attack campaign hitting 13 organizations across 10 different countries in three different campaigns, which involved a swath of new tools. These campaigns were wide-ranging, hitting targets in Europe, Latin America, and South Asia.

Mitigation and Prevention

To defend against shapeshifting threat actors such as Turla, organizations require a 360-degree investigation of every suspicious alert captured by detection systems. However, security teams grapple with the immense influx of IOCs that lack contextual insights. Threat data collected from various sources requires significant processing, including de-duplication, normalization, and enrichment with context and correlation. Cyware’s Intel Exchange (CTIX), an automated threat intelligence platform provides capabilities for effectively operationalizing threat intelligence. By combining it with Respond (CFTR), an automated incident response and threat analysis platform, security teams can track the evolution of sophisticated threats like Turla APT and leverage enriched intel to connect the dots between external intel, internal telemetry, and historical incidents for proactive defense.

Other than that, always have multifactor authentication in place and train employees how to distinguish effectively between phishing emails and the actual ones. Regularly back up your most important data.

Conclusion

The impact of succumbing to a Turla APT attack carries substantial risk, extending beyond mere financial losses and data breaches to the potential compromise of critical infrastructure. This scenario could pose significant national security and geopolitical consequences. Consequently, it is imperative for organizations, irrespective of size or industry, to prioritize robust security strategies and allocate resources to implement multifaceted security measures. This approach is crucial in fortifying defenses against the increasing threat posed by APT groups, exemplified by entities like Turla APT.

Indicators of Compromise (IOCs)

SHA 256

ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39

64e8744b39e15b76311733014327311acd77330f8a135132f020eac78199ac8a

8490daab736aa638b500b27c962a8250bbb8615ae1c68ef77494875ac9d2ada2

b51105c56d1bf8f98b7e924aa5caded8322d037745a128781fa0bc23841d1e70

Bf6f30673cf771d52d589865675a293dc5c3668a956d0c2fc0d9403424d429b2

Cd4c2e85213c96f79ddda564242efec3b970eded8c59f1f6f4d9a420eb8f1858

b262292e049ee75d235164df98fa8ed09a9e2a30c5432623856bafd4bd44d801

0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852

3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527

29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94

87663affd147065d08d4fe76d9a18b0d7d85fab68cf9f5ac96cfdfff3f27ffd2

6536b6b50aa1f6899ffa90aaf4b1b67c0ae0f6c0441016f5308b37c12141c61d

fc68026b83392aa227e9adf9c71289cb51ba03427f6de67a73ae872e19ef6ff9

1950d2e706fbc6263d376c0c4f16bd5acfd543248ee072657ba3dd62da8427eb

cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986

8d9bb878a18b2b7ef558504e78a59eb644f83a63679658533ff8accf0b85fda3

009406c1c7c0b289a25d44dfaa8364633d9b71df5f3c7a65deec1ef00a8c2ebb

7a7d11adbcb740323eb52b097f535cfa5c281bf07a4d5c4afb0c5182fa4ffd1b

d4ba16db7c26622d2d402cb9714331abfee891b6276d16e6c2f2132e8944cc71

046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758

0010ccb822538d1881c61be874af49382c44b6c9cb665081cf0f672cbed5b6a5

29b1da7b17a7ba3e730e6927058d0554a8bc81bdef88e364097fab0bb1950edc

16860fc685ea0dee91e65e253062153ac6c886fdd73a3020c266601f58038a61

10c0e2afb37a24ac7732a402a4c9d854b35a382f1651d4aa2ece429b154aecb2

00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d

134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8

166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405

44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316

A3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642

187bf95439da038c1bc291619507ff5e426d250709fa5e3eda7fda99e1c9854c

b93484683014aca8e909c9b5648d8f0ac21a45d0c193f6ca40f0b01d2464c1c4

493e5fae191950b901764868b065ddddffa4f4c9b497022ee2f998b4a94f0fc2

f3aaa091fdbc8772fb7bd3a81665f4d33c3b62bf98caad6fee4424654ba26429

2b969111dd1968d47b02d6390c92fb622cd03570b02ecf9215031ff03611a2b7

7d5794ad91351c7c5d7fbad8e83e3b71a09baac65fb09ca75d8d18339d24a46f

6ca0b4efe077fe05b2ae871bf50133c706c7090a54d2c3536a6c86ff454caa9a

20691ff3c9474cfd7bf6fa3f8720eb7326e6f87f64a1f190861589c1e7397fa5

e33580ae3df9d27d7cfb7b8f518a2704e55c92dd74cbbab8ef58ddfd36524cc8

030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01

URLs

hxxps://moneybac[.]ru/wlbdugfllvovexjx/calcbtc[.]exe

hxxps://kdr[.]zarkada[.]ru/507913557[.]exe

hxxp://kamikirim[.]my[.]id/Explorer[.]exe

hxxps://installcb[.]online/7l[.]exe

hxxp://datanalyze[.]xyz/

Email

unlock@support-mult[.]com

glen.morriss75@seznam[.]cz

sunyaf@seznam[.]cz

sami.vaarala@iki[.]fi

rbsm@ic.ufal[.]br

shannon@litegait[.]com

Domains

Gaismustudija[.]lv

Hcdh-tunisie[.]org

www.gallen[.]fi

Manager.surro[.]am

Lakihelppi[.]com

branter[.]tk

wekanda[.]tk

sanitar[.]ml

duke6[.]tk

bronerg[.]tk

Crusider[.]tk

www.berlinguas[.]com

www.balletmaniacs[.]com

hxxps://xre[.]popmonster[.]ru/2143165147[.]exe

hxxps://www.bombheros[.]com/wp-content/languages/index[.]php

hxxps://www.simplifiedhomesales[.]com/wp-includes/images/index.php

hxxp://mtsoft.hol[.]es/wp-content/gallery/

hxxp://www.polishpod101[.]com/forum/language/en/sign/

hxxps://www.pierreagencement[.]fr/wp-content/languages/index.php

hxxps://sansaispa[.]com/wp-includes/images/gallery/

hxxps://octoberoctopus.co[.]za/wp-includes/sitemaps/web/

hxxps://mail.numina[.]md/owa/scripts/logon.aspx

hxxps://mail.aet.in[.]ua/outlook/api/logoff.aspx

hxxps://mail.arlingtonhousing[.]us/outlook/api/logoff.aspx

hxxps://mail.kzp[.]bg/outlook/api/logoff.aspx

hxxps://mail.lechateaudelatour[.]fr/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITCHERT/SYNC

hxxps://mail.lebsack[.]de/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITCHERT/SYNC

IPs

194.67.209[.]186

197.168.0[.]247

46.101.209[.]249

210.48.231[.]182

103.102.45[.]14

94.140.8[.]48

192.185.37[.]183

122.155.174[.]188

81.161.229[.]75

212.21.52[.]110

MITRE ATT&CK Tactics and Techniques

Resource Development

Acquire Infrastructure, Compromise Infrastructure, Develop Capabilities, Obtain Capabilities

Execution

Command and Scripting Interpreter, Native API, User Execution

Initial Access

Drive-by Compromise, Phishing, Valid Accounts

Persistence

Boot or Logon Autostart Execution, Event Triggered Execution, Valid Accounts

Privilege Escalation

Access Token Manipulation, Boot or Logon Autostart Execution, Event Triggered Execution, Exploitation for Privilege Escalation, Process Injection, Valid Accounts

Defense Evasion

Access Token Manipulation, Deobfuscate/Decode Files or Information, Impair Defenses, Modify Registry, Obfuscated Files or Information, Process Injection, Subvert Trust Controls, Valid Accounts

Credential Access

Brute Force, Credentials from Password Stores

Discovery

Account Discovery, File and Directory Discovery, Group Policy Discovery, Password Policy Discovery, Peripheral Device Discovery, Permission Groups Discovery, Process Discovery, Query Registry, Remote System Discovery, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery

Lateral Movement

Lateral Tool Transfer, Remote Services

Collection

Archive Collected Data, Data from Information Repositories, Data from Local System, Data from Removable Media

Command and Control

Application Layer Protocol, Ingress Tool Transfer, Proxy, Web Service

Exfiltration

Exfiltration Over Web Service