Turla | |
Other Names | The Epic Turla Snake Uroburos Epic |
Location | Russia |
Date of initial activity | 2004 |
Suspected attribution | State-sponsored Threat Group |
Government Affiliation | Yes |
Associated Groups | IRON HUNTER, Group 88, Waterbug, WhiteBear,Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON |
Motivation | Cyber Espionage |
Associated tools | Snake |
Overview
Turla is a highly sophisticated and persistent cyber espionage threat group associated with Russia’s Federal Security Service (FSB). Active since at least 2004, Turla has targeted a broad spectrum of sectors including government, military, education, research, and pharmaceutical industries across over 50 countries.
Turla employs a diverse set of tactics, techniques, and procedures to infiltrate and exploit their targets. They are known for their use of sophisticated spearphishing and watering hole attacks to gain initial access. The group relies heavily on custom-developed tools and malware, such as the Uroburos and the Carbon framework, to maintain persistence, conduct reconnaissance, and exfiltrate data. Their techniques include phishing and spearphishing to deceive targets into downloading malicious payloads, and watering hole attacks to compromise websites frequently visited by their targets.
The group utilizes bespoke malware like Uroburos, Carbon, and ComRAT for various stages of their attacks, including data exfiltration and command and control (C2) communications. They exploit known vulnerabilities, such as those in the VBoxDrv.sys driver, to gain elevated privileges on compromised systems, and use encrypted channels and web services, such as Dropbox and GitHub, for exfiltrating stolen data.
Turla is linked with various aliases and associated threat groups, including IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, and BELUGASTURGEON. They have developed and adapted several tools, such as IronNetInjector and LightNeuron, which are used for tasks ranging from data collection to command execution. Their command and control infrastructure frequently involves compromised VPS and web services.
Turla’s operations are marked by their strategic sophistication and the use of advanced evasion techniques. Their ability to remain undetected while extracting valuable information from high-profile targets showcases their expertise in cyber espionage. The group’s activities highlight the growing threat posed by nation-state actors in the realm of cyber espionage, emphasizing the need for robust cybersecurity measures and international collaboration to counteract such advanced persistent threats.
Common targets
Turla, also known by its various aliases, has targeted a wide range of organizations and sectors globally, often focusing on high-value and strategic targets. Key targets include:
Government Entities: Turla frequently targets government agencies and diplomatic organizations. Their espionage campaigns often aim to gather sensitive political and strategic information. Military Organizations: The group has a history of targeting military institutions and defense contractors, seeking intelligence related to national security and defense strategies. Diplomatic Institutions: Embassies and consulates are common targets, where Turla seeks to intercept communications and gather diplomatic intelligence. Energy Sector: Turla has targeted organizations in the energy sector, including oil and gas companies, possibly to obtain information on energy policies, infrastructure, and strategic resources. Academic Institutions: Universities and research institutions are targeted to gain access to cutting-edge research and intellectual property. Technology Firms: Companies in the technology sector, including those involved in cybersecurity and software development, are targeted for their technological innovations and potential vulnerabilities. Healthcare Organizations: While less frequent, Turla has also been known to target healthcare entities, likely to gain access to sensitive health data and research. Financial Sector: Financial institutions are targeted for their economic intelligence and potentially sensitive financial data.Attack Vectors
Spear Phishing
Exploiting Public-Facing Applications
Watering Hole Attacks
Supply Chain Attacks
Malicious Documents
Credential Dumping
Social Engineering
Remote Exploitation