Introduction
Turla is a cyber espionage threat group that has been attributed to Russiaβs Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos. Kaspersky Turla ESET Gazer Aug 2017 CrowdStrike VENOMOUS BEAR ESET Turla Mosquito Jan 2018 Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023
Activities and Tactics
Targeted Sectors: Government, Administration, Education, Electric, Energy, Health, Government, Military, Private sector
Country of Origin: π·πΊ Russia
Risk Level: High
First Seen: 2014
Last Activity: 2019
Incident Type: Espionage
Suspected Victims: France, Romania, Kazakhstan, Poland, Tajikistan, Russia, United States, Saudi Arabia, Germany, Indiaβ¦
Notable Campaigns
- Satellite Turla
- Epic Turla
- The βPenquinβ Turla
- Witchcoven
- RUAG hack
- Mosquito
- Moonlight Maze
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 11 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- PowerDuke
- POWERSTATS
- Power Loader
- POWERSOURCE
- China Chopper
- Archelaus Beta
- PowerRAT
- CrossRat
- CyberAzov
- Unidentified ASP 001 (Webshell)
- Penquin Turla
- KopiLuwak
- MiniJS
- HTML5 Encoding
- Maintools.js
- Uroburos
- DeliveryCheck
- LunarMail
- NetFlash
- Neuron
- QUIETCANARY
- Pelmeni
- TwoDash
- TwoFace
- Agent.BTZ
- ApolloShadow
- Cobra Carbon System
- ComLook
- Crutch
- Gazer
- KSL0T
- LightNeuron
- MiniPocket
- Mosquito
- Nautilus
- NewPass
- Outlook Backdoor
- PowerShellRunner
- Satellite Turla
- Skipper
- TinyTurla
- TinyTurlaNG
- TurlaRPC
- Turla SilentMoon
- Wipbot
- Kazuar
- systeminfo
- net
- tasklist
- gpresult
- wce
- pwdump
- Turla
- Tavdig
- Agent.dne
- AdobeARM
- ATI-Agent
- MiniDionis
- WhiteBear
- systeminfo:
- net:
- tasklist:
- gpresult:
- wce:
- pwdump:
- Uroburos:
- Turla:
- Agent.BTZ:
- Tavdig:
- Wipbot:
- Agent.dne:
- AdobeARM:
- ATI-Agent:
- MiniDionis:
- WhiteBear:
- Gazer:
- Neuron:
- Nautilus:
Russian APT Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | Mimikatz |
| Defense Evasion | PowerShellRunner, VirtualBox Driver |
| Discovery | NBTScan, SScan |
| Exfiltration | 4Shared, Dropbox, GMX, Gmail, OneDrive, VFEmail |
| LOLBAS | PsExec |
| Networking | Chisel |
| OffSec | Evil-WinRM, Metapsloit, Metasploit, PowerShell Empire, PowerSploit |
| RMM Tools | IntelliAdmin |
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] Kaspersky Turla [3] ESET Gazer Aug 2017 [4] CrowdStrike VENOMOUS BEAR [5] ESET Turla Mosquito Jan 2018 [6] Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023