|
| The Epic Turla Snake Uroburos Epic |
| |
| |
| State-sponsored Threat Group |
| |
| IRON HUNTER, Group 88, Waterbug, WhiteBear,Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON |
| |
| Snake
Turla
Carbon
Gazer
Cobra
Cicada
Noxze
Sofacy |
Overview
Turla is a highly sophisticated and persistent cyber espionage threat group associated with Russia’s Federal Security Service (FSB). Active since at least 2004, Turla has targeted a broad spectrum of sectors including government, military, education, research, and pharmaceutical industries across over 50 countries.
Turla employs a diverse set of tactics, techniques, and procedures to infiltrate and exploit their targets. They are known for their use of sophisticated spearphishing and watering hole attacks to gain initial access. The group relies heavily on custom-developed tools and malware, such as the Uroburos and the Carbon framework, to maintain persistence, conduct reconnaissance, and exfiltrate data. Their techniques include phishing and spearphishing to deceive targets into downloading malicious payloads, and watering hole attacks to compromise websites frequently visited by their targets.
The group utilizes bespoke malware like Uroburos, Carbon, and ComRAT for various stages of their attacks, including data exfiltration and command and control (C2) communications. They exploit known vulnerabilities, such as those in the VBoxDrv.sys driver, to gain elevated privileges on compromised systems, and use encrypted channels and web services, such as Dropbox and GitHub, for exfiltrating stolen data.
Turla is linked with various aliases and associated threat groups, including IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, and BELUGASTURGEON. They have developed and adapted several tools, such as IronNetInjector and LightNeuron, which are used for tasks ranging from data collection to command execution. Their command and control infrastructure frequently involves compromised VPS and web services.
Turla’s operations are marked by their strategic sophistication and the use of advanced evasion techniques. Their ability to remain undetected while extracting valuable information from high-profile targets showcases their expertise in cyber espionage. The group’s activities highlight the growing threat posed by nation-state actors in the realm of cyber espionage, emphasizing the need for robust cybersecurity measures and international collaboration to counteract such advanced persistent threats.
Common targets
Turla, also known by its various aliases, has targeted a wide range of organizations and sectors globally, often focusing on high-value and strategic targets. Key targets include:
Government Entities: Turla frequently targets government agencies and diplomatic organizations. Their espionage campaigns often aim to gather sensitive political and strategic information.
Military Organizations: The group has a history of targeting military institutions and defense contractors, seeking intelligence related to national security and defense strategies.
Diplomatic Institutions: Embassies and consulates are common targets, where Turla seeks to intercept communications and gather diplomatic intelligence.
Energy Sector: Turla has targeted organizations in the energy sector, including oil and gas companies, possibly to obtain information on energy policies, infrastructure, and strategic resources.
Academic Institutions: Universities and research institutions are targeted to gain access to cutting-edge research and intellectual property.
Technology Firms: Companies in the technology sector, including those involved in cybersecurity and software development, are targeted for their technological innovations and potential vulnerabilities.
Healthcare Organizations: While less frequent, Turla has also been known to target healthcare entities, likely to gain access to sensitive health data and research.
Financial Sector: Financial institutions are targeted for their economic intelligence and potentially sensitive financial data.
Attack Vectors
Spear Phishing
Exploiting Public-Facing Applications
Watering Hole Attacks
Supply Chain Attacks
Malicious Documents
Credential Dumping
Social Engineering
Remote Exploitation
How they operate
1. Initial Infection
Spear-Phishing:
Email Campaigns: Attackers send targeted emails containing malicious attachments or links. These emails are crafted to look legitimate and often relate to topics relevant to the victim, such as government or military affairs.
Exploits: Attachments might contain exploits for vulnerabilities in Adobe PDF files (CVE-2013-3346, CVE-2013-5065) that execute malicious payloads upon opening.
Social Engineering:
Malware Installers: Victims are tricked into running malware installers with a “.SCR” extension or those packed with RAR files. These installers are designed to appear as legitimate software updates or tools.
Watering Hole Attacks:
Compromised Websites: Attackers infect websites frequently visited by their target audience. These websites are modified to serve malicious code based on the visitor’s IP address.
Exploit Delivery: Malicious code might exploit vulnerabilities in Java (CVE-2012-1723), Adobe Flash, or older versions of Internet Explorer to deliver the initial infection.
2. Execution and Communication
Epic Backdoor:
Initial Payload: Once installed, the Epic backdoor (also known as “WorldCupSec,” “TadjMakhal,” “Wipbot,” or “Tadvig”) establishes communication with a command-and-control (C&C) server.
System Information: It sends information about the victim’s system to the C&C server, including details like IP address and system configuration.
3. Post-Infection Activities
Lateral Movement:
Custom Tools: Attackers deploy additional tools for further infiltration, such as keyloggers, custom RAR archivers, and DNS query utilities.
Command Execution: Pre-configured batch files containing a series of commands are executed to extend control over the compromised system.
Data Collection and Exfiltration:
Data Harvesting: The attackers gather sensitive information from infected systems, including emails, documents, and other valuable data.
Ongoing Monitoring: They maintain persistent access to monitor and extract information over an extended period.
4. Evasion and Persistence
Obfuscation Techniques:
Malware Hiding: The malware may use techniques to avoid detection by security software, such as packing or encrypting payloads.
Rootkits: Some components of the malware function as rootkits to conceal their presence on the system.
Updates and Adaptation:
Continuous Improvement: The threat actor regularly updates their tactics, techniques, and procedures (TTPs) to evade detection and counteract defensive measures.
New Exploits: They may leverage newly discovered vulnerabilities or create custom exploits to bypass security controls.
5. Targets and Objectives
Strategic Focus:
High-Value Targets: The primary targets are government entities, military organizations, and other high-value sectors such as pharmaceutical companies and research institutions.
Geographic Focus: While many victims are in the Middle East and Europe, the attacks also span other regions, including the USA, reflecting the global reach and impact of the campaign.
By using a combination of advanced exploitation techniques, social engineering, and custom malware tools, the threat actor behind Epic Turla maintains a highly effective and resilient cyber-espionage operation.
MITRE Tactics and Techniques
T1071.001 – Application Layer Protocol: Web Protocols
T1071.002 – Application Layer Protocol: File Transfer Protocol
T1027 – Obfuscated Files or Information
T1060 – Registry Run Keys / Startup Folder
T1059 – Command and Scripting Interpreter
T1056.001 – Input Capture: Keylogging
T1064 – Sudo and Sudo Caching
T1055 – Process Injection
T1105 – Ingress Tool Transfer
T1135 – Network Share Discovery
T1218 – Signed Binary Proxy Execution
T1046 – Network Service Scanning
T1028 – Windows Remote Management
References:
