Turla | |
Other Names | The Epic Turla Snake Uroburos Epic |
Location | Russia |
Date of initial activity | 2004 |
Suspected attribution | State-sponsored Threat Group |
Government Affiliation | Yes |
Associated Groups | IRON HUNTER, Group 88, Waterbug, WhiteBear,Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON |
Motivation | Cyber Espionage |
Associated tools | Snake |
Overview
Turla, also known by its various aliases, has targeted a wide range of organizations and sectors globally, often focusing on high-value and strategic targets. Key targets include:
Government Entities: Turla frequently targets government agencies and diplomatic organizations. Their espionage campaigns often aim to gather sensitive political and strategic information.
Military Organizations: The group has a history of targeting military institutions and defense contractors, seeking intelligence related to national security and defense strategies.
Diplomatic Institutions: Embassies and consulates are common targets, where Turla seeks to intercept communications and gather diplomatic intelligence.
Energy Sector: Turla has targeted organizations in the energy sector, including oil and gas companies, possibly to obtain information on energy policies, infrastructure, and strategic resources.
Academic Institutions: Universities and research institutions are targeted to gain access to cutting-edge research and intellectual property.
Technology Firms: Companies in the technology sector, including those involved in cybersecurity and software development, are targeted for their technological innovations and potential vulnerabilities.
Healthcare Organizations: While less frequent, Turla has also been known to target healthcare entities, likely to gain access to sensitive health data and research.
Financial Sector: Financial institutions are targeted for their economic intelligence and potentially sensitive financial data.
Attack Vectors
Spear Phishing
Exploiting Public-Facing Applications
Watering Hole Attacks
Supply Chain Attacks
Malicious Documents
Credential Dumping
Social Engineering
Remote Exploitation
How they operate
1. Initial Infection
Spear-Phishing:
Email Campaigns: Attackers send targeted emails containing malicious attachments or links. These emails are crafted to look legitimate and often relate to topics relevant to the victim, such as government or military affairs.
Exploits: Attachments might contain exploits for vulnerabilities in Adobe PDF files (CVE-2013-3346, CVE-2013-5065) that execute malicious payloads upon opening.
Social Engineering:
Malware Installers: Victims are tricked into running malware installers with a “.SCR” extension or those packed with RAR files. These installers are designed to appear as legitimate software updates or tools.
Watering Hole Attacks:
Compromised Websites: Attackers infect websites frequently visited by their target audience. These websites are modified to serve malicious code based on the visitor’s IP address.
Exploit Delivery: Malicious code might exploit vulnerabilities in Java (CVE-2012-1723), Adobe Flash, or older versions of Internet Explorer to deliver the initial infection.
2. Execution and Communication
Epic Backdoor:
Initial Payload: Once installed, the Epic backdoor (also known as “WorldCupSec,” “TadjMakhal,” “Wipbot,” or “Tadvig”) establishes communication with a command-and-control (C&C) server.
System Information: It sends information about the victim’s system to the C&C server, including details like IP address and system configuration.
3. Post-Infection Activities
Lateral Movement:
Custom Tools: Attackers deploy additional tools for further infiltration, such as keyloggers, custom RAR archivers, and DNS query utilities.
Command Execution: Pre-configured batch files containing a series of commands are executed to extend control over the compromised system.
Data Collection and Exfiltration:
Data Harvesting: The attackers gather sensitive information from infected systems, including emails, documents, and other valuable data.
Ongoing Monitoring: They maintain persistent access to monitor and extract information over an extended period.
4. Evasion and Persistence
Obfuscation Techniques:
Malware Hiding: The malware may use techniques to avoid detection by security software, such as packing or encrypting payloads.
Rootkits: Some components of the malware function as rootkits to conceal their presence on the system.
Updates and Adaptation:
Continuous Improvement: The threat actor regularly updates their tactics, techniques, and procedures (TTPs) to evade detection and counteract defensive measures.
New Exploits: They may leverage newly discovered vulnerabilities or create custom exploits to bypass security controls.
5. Targets and Objectives
Strategic Focus:
High-Value Targets: The primary targets are government entities, military organizations, and other high-value sectors such as pharmaceutical companies and research institutions.
Geographic Focus: While many victims are in the Middle East and Europe, the attacks also span other regions, including the USA, reflecting the global reach and impact of the campaign.
By using a combination of advanced exploitation techniques, social engineering, and custom malware tools, the threat actor behind Epic Turla maintains a highly effective and resilient cyber-espionage operation.
MITRE Tactics and Techniques
T1071.001 – Application Layer Protocol: Web Protocols
T1071.002 – Application Layer Protocol: File Transfer Protocol
T1027 – Obfuscated Files or Information
T1060 – Registry Run Keys / Startup Folder
T1059 – Command and Scripting Interpreter
T1056.001 – Input Capture: Keylogging
T1064 – Sudo and Sudo Caching
T1055 – Process Injection
T1105 – Ingress Tool Transfer
T1135 – Network Share Discovery
T1218 – Signed Binary Proxy Execution
T1046 – Network Service Scanning
T1028 – Windows Remote Management
