Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.
Associated Group Descriptions
Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.
WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.
|Enterprise||T1134||.002||Access Token Manipulation: Create Process with Token|
|Enterprise||T1087||.001||Account Discovery: Local Account|
|.002||Account Discovery: Domain Account|
|Enterprise||T1583||.006||Acquire Infrastructure: Web Services|
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|.003||Application Layer Protocol: Mail Protocols|
|Enterprise||T1560||.001||Archive Collected Data: Archive via Utility|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
|.004||Boot or Logon Autostart Execution: Winlogon Helper DLL|
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell||
Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject. Turla has also used PowerShell scripts to load and execute malware in memory.
|.003||Command and Scripting Interpreter: Windows Command Shell|
|.005||Command and Scripting Interpreter: Visual Basic|
|.006||Command and Scripting Interpreter: Python|
|Enterprise||T1584||.003||Compromise Infrastructure: Virtual Private Server|
|.004||Compromise Infrastructure: Server|
|.006||Compromise Infrastructure: Web Services|
|Enterprise||T1555||.004||Credentials from Password Stores: Windows Credential Manager|
|Enterprise||T1213||Data from Information Repositories|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1025||Data from Removable Media|
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
|Enterprise||T1587||.001||Develop Capabilities: Malware|
|Enterprise||T1546||.003||Event Triggered Execution: Windows Management Instrumentation Event Subscription|
|.013||Event Triggered Execution: PowerShell Profile|
|Enterprise||T1567||.002||Exfiltration Over Web Service: Exfiltration to Cloud Storage|
|Enterprise||T1068||Exploitation for Privilege Escalation|
|Enterprise||T1083||File and Directory Discovery||
Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent. Turla RPC backdoors have also searched for files matching the
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1570||Lateral Tool Transfer|
|Enterprise||T1027||Obfuscated Files or Information|
|.005||Indicator Removal from Tools|
|Enterprise||T1588||.001||Obtain Capabilities: Malware|
|Enterprise||T1201||Password Policy Discovery|
|Enterprise||T1120||Peripheral Device Discovery|
|Enterprise||T1069||.001||Permission Groups Discovery: Local Groups|
|.002||Permission Groups Discovery: Domain Groups|
|Enterprise||T1566||.002||Phishing: Spearphishing Link|
Turla surveys a system upon check-in to discover running processes using the
|.001||Dynamic-link Library Injection|
Turla surveys a system upon check-in to discover information in the Windows Registry with the
|Enterprise||T1021||.002||Remote Services: SMB/Windows Admin Shares|
|Enterprise||T1018||Remote System Discovery||
Turla surveys a system upon check-in to discover remote systems on a local network using the
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery|
|Enterprise||T1553||.006||Subvert Trust Controls: Code Signing Policy Modification|
|Enterprise||T1082||System Information Discovery|
|Enterprise||T1016||System Network Configuration Discovery||
Turla surveys a system upon check-in to discover network configuration details using the
|.001||Internet Connection Discovery|
|Enterprise||T1049||System Network Connections Discovery||
Turla surveys a system upon check-in to discover active local network connections using the
|Enterprise||T1007||System Service Discovery|
|Enterprise||T1124||System Time Discovery|
|Enterprise||T1204||.001||User Execution: Malicious Link|
|Enterprise||T1078||.003||Valid Accounts: Local Accounts|
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
- Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
- ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
- NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
- Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020.
- Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
- Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
- TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.
- ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
- ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.