← threatfilter.dev / all groups / Turla
Turla
Also known as: IRON HUNTER · Group 88 · Waterbug · WhiteBear · Snake · Krypton · Venomous Bear · Secret Blizzard · BELUGASTURGEON
Overview
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.
Targets
Education · Energy · Government · Healthcare · Military · Private sector
Regions
Belarus · France · Germany · India · Iran · Iraq · Kazakhstan · Netherlands · Poland · Romania · Russia · Saudi Arabia · South Korea · Tajikistan · United Kingdom · United States · Uzbekistan
Capabilities
- Custom malware/implant development — ATT&CK: 17 attributed custom malware families
TTPs — 68 techniques across 13 tactics
Resource Development
-
T1583.006Web Services -
T1584.003Virtual Private Server -
T1584.004Server -
T1584.006Web Services -
T1587.001Malware -
T1588.001Malware -
T1588.002Tool
Initial Access
-
T1189Drive-by Compromise -
T1566.002Spearphishing Link
Execution
-
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.006Python -
T1059.007JavaScript -
T1106Native API -
T1204.001Malicious Link
Persistence
-
T1547.001Registry Run Keys / Startup Folder -
T1547.004Winlogon Helper DLL
Privilege Escalation
-
T1068Exploitation for Privilege Escalation -
T1546.003Windows Management Instrumentation Event Subscription -
T1546.013PowerShell Profile
Stealth
-
T1027.005Indicator Removal from Tools -
T1027.010Command Obfuscation -
T1027.011Fileless Storage -
T1036.005Match Legitimate Resource Name or Location -
T1055Process Injection -
T1055.001Dynamic-link Library Injection -
T1078.003Local Accounts -
T1134.002Create Process with Token -
T1140Deobfuscate/Decode Files or Information -
T1564.012File/Path Exclusions
Defense Impairment
-
T1112Modify Registry -
T1553.006Code Signing Policy Modification -
T1685Disable or Modify Tools
Credential Access
-
T1110Brute Force -
T1555.004Windows Credential Manager
Discovery
-
T1007System Service Discovery -
T1012Query Registry -
T1016System Network Configuration Discovery -
T1016.001Internet Connection Discovery -
T1018Remote System Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1069.001Local Groups -
T1069.002Domain Groups -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.001Local Account -
T1087.002Domain Account -
T1120Peripheral Device Discovery -
T1124System Time Discovery -
T1201Password Policy Discovery -
T1518.001Security Software Discovery -
T1615Group Policy Discovery
Lateral Movement
-
T1021.002SMB/Windows Admin Shares -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1025Data from Removable Media -
T1213.006Databases -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1071.003Mail Protocols -
T1090Proxy -
T1090.001Internal Proxy -
T1102Web Service -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Tools & malware (30)
PsExec · nbtstat · ComRAT · netstat · certutil · Empire · Mosquito · KOPILUWAK · IronNetInjector · LunarWeb · Arp · Crutch · Uroburos · PowerStallion · Gazer · Kazuar · Systeminfo · LightNeuron · Carbon · Mimikatz · Tasklist · LunarMail · Net · Reg · HyperStack · Epic · NBTscan · TinyTurla · Penquin · LunarLoader
Reporting (3)
- How Microsoft names threat actors — Microsoft
- Hunting Russian Intelligence “Snake” Malware — FBI et al
- TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines — Cisco Talos