Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.    
Associated Group Descriptions
|Waterbug||Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group. |
|WhiteBear||WhiteBear is a designation used by Securelist to describe a cluster of activity under broader G0010 activity. |
|Enterprise||T1110||Brute Force||Turla may attempt to connect to systems within a victim's network using |
|Enterprise||T1083||File and Directory Discovery||Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.|
|Enterprise||T1066||Indicator Removal from Tools||Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.|
|Enterprise||T1086||PowerShell||Turla has used a custom executable to execute PowerShell scripts.|
|Enterprise||T1057||Process Discovery||Turla surveys a system upon check-in to discover running processes using the |
|Enterprise||T1055||Process Injection||Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.|
|Enterprise||T1012||Query Registry||Turla surveys a system upon check-in to discover information in the Windows Registry with the |
|Enterprise||T1105||Remote File Copy||Turla has used shellcode to download Meterpreter after compromising a victim.|
|Enterprise||T1018||Remote System Discovery||Turla surveys a system upon check-in to discover remote systems on a local network using the |
|Enterprise||T1193||Spearphishing Attachment||Turla has used spearphishing emails to deliver BrainTest as a malicious attachment.|
|Enterprise||T1192||Spearphishing Link||Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.|
|Enterprise||T1071||Standard Application Layer Protocol||Turla has used HTTP and HTTPS for C2 communications.|
|Enterprise||T1082||System Information Discovery||Turla surveys a system upon check-in to discover operating system configuration details using the |
|Enterprise||T1016||System Network Configuration Discovery||Turla surveys a system upon check-in to discover network configuration details using the |
|Enterprise||T1049||System Network Connections Discovery||Turla surveys a system upon check-in to discover active local network connections using the |
|Enterprise||T1007||System Service Discovery||Turla surveys a system upon check-in to discover running services and associated processes using the |
|Enterprise||T1124||System Time Discovery||Turla surveys a system upon check-in to discover the system time by using the |
|Enterprise||T1204||User Execution||Turla has used spearphishing via a link to get users to download and run their malware.|
|Enterprise||T1077||Windows Admin Shares||Turla used |
|Enterprise||T1004||Winlogon Helper DLL||Turla established persistence by adding a Shell value under the Registry key |
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
- Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
- ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.