SOCRadar® Cyber Intelligence Inc. | APT Profile: Turla
Home

Resources

Blog
Jun 29, 2023
17 Mins Read

APT Profile: Turla

In the digital age, war has transitioned into the virtual world, where many types of cybercriminals, such as hacktivists and nation-state actors, are called Advanced Persistent Threats (APT) play a role in this type of war. Some of the APTs conduct “silent” campaigns of intrusion and destabilization during their attacks. These groups involved in cyber-espionage are redefining the landscape of security, aiming at critical infrastructures and confidential sectors across the globe. Among these, the Turla group, hailing from Russia, has set itself apart as a significant force. Turla group’s operations, impacting more than 45 countries, are as widespread as they are complex. This article delves into the profile of Turla, examining their attacks, attacking style, and the global effects of what they do.

Who is Turla?

Turla, also known as Snake, UNC4210, Venomous Bear, Waterbug, or Uroburos, is a highly sophisticated APT group with espionage and intelligence-gathering motivations. The group has been active since the late 1990s. This group is believed to be one of the earliest examples of cyber espionage, with a primarily focus on government entities, militaries, and embassies.

Often linked to the Russian Federal Security Service (FSB), Turla has a long history of conducting cyber-espionage campaigns against a wide array of victims, spanning multiple sectors such as high-tech, pharmaceuticals, and retail. The group is known for its stealthiness and adaptability, frequently changing its tactics, techniques, and procedures (TTPs) to evade detection and maintain persistence within its target networks.

Other names of Turla (Source: SOCRadar)
Other names of Turla (Source: SOCRadar)

How Does Turla Attack?

Turla employs a variety of attack vectors to gain initial access to its target systems. These include

  • Spearphishing (T1566.001/002):Turla often uses spearphishing emails, containing malicious attachments or links, to trick unsuspecting users into downloading and executing malware. These emails are typically designed to appear as legitimate communications from trusted sources, increasing the likelihood that the recipient will interact with the malicious content.
  • Watering hole attacks (T1189):This technique involves compromising legitimate websites that are frequented by the target organization’s employees. Once the website is compromised, Turla injects malicious code that exploits vulnerabilities in the visitor’s browser or extensions to gain a foothold on their system.

Turla uses a variety of sophisticated techniques to conduct their attacks. In one of its operations as an example, Turla was observed taking control of expired domains associated with widespread, financially motivated malware like ANDROMEDA. This approach allows them to deliver new malware to victims, enabling follow-on compromises. Turla has also been known to leverage USB spreading malware for gaining initial access into organizations.

Timeline of ANDROMEDA
Timeline of ANDROMEDA (Source: Mandiant)

Adding to their sophistication and stealth, Turla was discovered in 2015 to be hijacking satellite communications to control their malware and exfiltrate data. By spoofing the IP address of a legitimate satellite internet subscriber, Turla could send their stolen data from compromised computers via satellite. An antenna connected to Turla’s command-and-control server could then pick up this broadcast data, leaving virtually no traces for investigators.

Phases of Satellite Hijacking
Phases of Satellite Hijacking (Source: Securelist)

The group uses a combination of tools such as the KOPILUWAK reconnaissance utility and the QUIETCANARY backdoor. KOPILUWAK, a JavaScript-based utility, facilitates C2 communications and victim profiling, while QUIETCANARY is a lightweight .NET backdoor used primarily to gather and exfiltrate data from the victim.

Which Tools and Vulnerabilities Does Turla Use?

Turla is known for using a wide range of custom-developed malware, as well as leveraging publicly available tools and exploiting known vulnerabilities to achieve its objectives. Some of the notable tools and vulnerabilities associated with Turla include:

  • Agent.btz: Agent.btz is a computer worm that spreads primarily through removable devices like USB drives and is known for its significant breach of U.S. military networks in 2008.
  • ComRAT: ComRAT, the new version of Agent.btz, is a Remote Access Trojan (RAT) used by the Turla APT group for cyber espionage. It is known for its unique feature of using the Gmail web interface for command and control operations.
  • KopiLuwak:A JavaScript-based reconnaissance utility used to facilitate command and control (C2) communications and victim profiling. KopiLuwak has been observed in multiple Turla campaigns, often delivered via spearphishing emails or watering hole attacks.
A legitimate-looking website used as a C2 by KopiLuwak (Source: Securelist)
  • TunnusSched (QUIETCANARY): A backdoor used by Turla to maintain persistence and control over compromised systems. TunnusSched allows the attacker to execute arbitrary commands and has been linked to several Turla campaigns targeting government and military organizations.
  • Gazer: A sophisticated backdoor used by Turla that is known for its stealth and persistence capabilities. Gazer is designed to communicate with its C2 server using encrypted channels and can be customized with various plugins to extend its functionality.
Architecture of Gazer (Source: ESET)
  • Carbon: A modular backdoor framework used by Turla, known for its advanced peer-to-peer capability and its ability to augment traditional command and control (C&C) infrastructure with tasks served from legitimate web services like Pastebin.
  • HyperStack:A Remote Procedure Call (RPC) backdoor used by Turla, which uses named pipes for executing RPCs and maintains a custom handshake similar to Carbon’s named-pipe communications.
Diagram of how Hyperstack works (Source: accenture)
  • Kazuar: A Remote Administration Trojan (RAT) used by Turla, configured to receive commands via internal C&C nodes in the victim’s network, while also capable of traditional C&C implementation with servers outside the victim network.

In addition to these custom tools, Turla has also been known to exploit various vulnerabilities in popular software, such as Microsoft Windows, Adobe Flash, and Oracle Java, to gain initial access and escalate privileges within target systems.

List of all observed Malware/Software used by Turla (Source: SOCRadar)
List of all observed Malware/Software used by Turla (Source: SOCRadar)

The fact that they have a wide-range toolset is evidenced by the fact that they have exploited so many CVEs over time

List of all observed CVEs used by Turla (Source: SOCRadar)
List of all observed CVEs used by Turla (Source: SOCRadar)

About the Malware ‘Snake’

Recently, the CISA published an advisory about a Russian Intelligence Malware “Snake”, It provides an in-depth analysis of the “Snake” implant, an advanced cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.

The Snake implant operates through a covert peer-to-peer (P2P) network of Snake-infected computers worldwide. Many of these systems serve as relay nodes, routing operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation to maintain confidentiality and are designed to hamper detection and collection efforts.

The advisory reveals that Snake infrastructure has been identified in over 50 countries across all continents, including the United States and Russia itself. The FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. For instance, FSB actors used Snake to access and exfiltrate sensitive international relations documents from a victim in a North Atlantic Treaty Organization (NATO) country.

The CISA provides detailed technical descriptions of the implant’s host architecture and network communications. It also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations are provided to assist network defenders in detecting Snake and associated activity.

The report also delves into the history of Snake, noting that the FSB began developing Snake as “Uroburos” in late 2003. The developers left unique strings in the code, such as “Ur0bUr()sGoTyOu#”, which have publicly come back to haunt them. The report also mentions that the FSB has been quick to adapt Snake when its capabilities have been publicly disclosed by private industry, leading to several variants of Snake over almost 20 years.

The advisory also provides insights into the mistakes made by the FSB in the development and operation of Snake, which have provided researchers with a foothold into the inner workings of Snake and were key factors in the development of capabilities that have allowed for tracking Snake and the manipulation of its data.

What are the Targets of Turla?

Turla predominantly targets organizations in Ukraine. The group infiltrates a wide array of entities and conducts extensive victim profiling. This profiling allows the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance.

If categorized by sector and country:

Target Sectors of Turla:

Turla’s primary targets are government entities, militaries, and embassies. However, over the years, the group has expanded its operations to include victims from a wide range of sectors, including education, high-tech, pharmaceuticals, and retail.

Target Countries of Turla:

Turla’s victims are located across the globe, with a particular focus on countries in Europe, Asia, and the Middle East. Some of the countries that have been targeted by Turla include France, Romania, Kazakhstan, Poland, Tajikistan, Austria, Russia, the United States, Saudi Arabia, Germany, India, Armenia, Belarus, the Netherlands, Iran, Uzbekistan, and Iraq.

Countries affected by Turla (Source: SOCRadar)
Countries affected by Turla (Source: SOCRadar)

A Quick Look to Turla APT Group’s Operations and Notable Activities:

Turla has been linked to several high-profile cyber-espionage campaigns, including:

  • Moonlight Maze: The Moonlight Maze operation, which started around 1996 and lasted for at least two years, is considered one of the first cyber espionage campaigns that targeted the United States. During this period, the hackers successfully breached various US government systems, including the US Navy, Air Force, NASA, the Department of Energy, the Environment Protection Agency, and the National Oceanic and Atmospheric Administration. The hackers used a modified version of a tool known as Loki2, which they consistently updated over time.
The first article that Turla (Moonlight Maze) was mentioned
The first article that Turla (Moonlight Maze) was mentioned (Source: Kaspersky)

In 2016, researchers established a connection between this tool and Turla, leading to the inference that Moonlight Maze was likely an early operation of what would later become Turla.

  • Agent.btz: In 2008, Turla launched a significant attack on the United States Department of Defense with malware known as Agent.btz. This malware was discovered beaconing out from inside the classified network of the DOD’s US Central Command, which was supposed to be air-gapped and physically isolated from internet-connected networks. The malware had spread from USB thumb drives, though it remains unclear how the infected USB devices infiltrated the US military’s digital inner sanctum. This breach led to a multiyear initiative to revamp US military cybersecurity, a project called Buckshot Yankee, and the creation of US Cyber Command.
  • The Epic Turla: The Epic Turla Operation was a global, multifaceted cyber espionage campaign that primarily targeted Eastern Europe, demonstrating a range of sophisticated attacking patterns. The operation utilized a variety of tactics, including the “watering hole” attack, where hackers compromised websites their targets frequently visit. They also employed spearphishing, sending malicious emails to specific individuals or organizations. Turla exploited zero-day vulnerabilities, such as CVE-2013-5065 (Windows XP and Windows 2003 Privilege escalation vulnerability), and CVE-2013-3346 (Arbitrary code-execution vulnerability in Adobe Reader), to gain unauthorized access to systems, utilizing the flaws in software unknown to the developers. Once infiltrated, various forms of malware, including a rootkit and a backdoor, were deployed to maintain control over the systems and exfiltrate sensitive data, showcasing the complexity and intricacy of this long-term cyber espionage campaign.
  • Witchcoven: A threat actor group compromised over 100 “specifically selected” websites in a cyber espionage operation in 2015. The group, possibly linked to the Turla or Turla itself, used web analytics and open-source tools to collect data about potential victims and their devices. The attackers injected a small piece of code, dubbed “WITCHCOVEN”, into the compromised websites, which collects the victim’s computer and browser configuration and deploys a persistent tracking cookie called “supercookie”. The data collected is believed to be used to create spearphishing emails, build user profiles for espionage, and create a database of potential targets.
Witchcoven’s attack process (Source: FireEye)

The campaign targeted individuals interested in international travel, diplomacy, economics, energy production and policy, and government affairs.

  • RUAG Espionage Incident: In 2016, Swiss defense company RUAG was targeted by Turla in a sophisticated cyber-espionage campaign that resulted in the theft of sensitive data related to Swiss military technology.
Data exfiltration during RUAG Espionage Incident
Data exfiltration during RUAG Espionage Incident (Source: GovCERT.ch)

Is There a Relation Between Turla APT Group and Other Cyber-espionage Groups?

Iranian APT Groups:

The UK’s National Cyber Security Centre (NCSC) disclosed in 2019 that the Neuron and Nautilus tools, which were previously believed to be connected to Turla, were actually likely of Iranian origin. They found that Turla had taken control of these tools and mainly used them against targets located in the Middle East. The NCSC also revealed that Turla employed Iranian web shells and used PoisonFrog C2 control panels, originally associated with COBALT GYPSY (APT34), to disseminate its malicious software.

Diagram and description of Turla's takeover of APT34 C2
Diagram and description of Turla’s takeover of APT34 C2 (Source: Symantec)

According to another source, during one attack against a Middle Eastern target, Turla appeared to hijack the infrastructure (C2) of Iranian APT group Crambus (APT34) and used it to deliver malware onto the victim’s network. This is unusual because these two groups have been linked to different nation states, and there’s no evidence to suggest they were collaborating. The motive behind Turla’s use of Crambus’s infrastructure is unclear. It could have been a false flag operation, a means of intrusion, or an opportunistic move to sow confusion.

Tomiris

The Advanced Persistent Threat (APT) groups, Tomiris and Turla, are distinguished by their unique Tactics, Techniques, and Procedures (TTPs), but overlapping characteristics have confused cybersecurity researchers. Kaspersky’s analysts found that Tomiris had been behind certain attacks previously attributed to Turla.

In an intriguing turn of events between 2021 and 2023, Tomiris demonstrated using Turla’s malicious tools, namely the JavaScript-based KopiLuwak payload and the TunnusSched scheduler. This overlapping tool usage led researchers to speculate potential collaboration or information sharing between these groups, although the exact nature of their relationship is still unclear.

Table showing the relationship between Topinambour, Tunnus, TunnusSched, and RocketMan tools and Turla
Table showing the relationship between Topinambour, Tunnus, TunnusSched, and RocketMan tools and Turla (Source: Kaspersky)

Turla remains an active and formidable threat in the world of cyber-espionage, with a long history of successful campaigns against high-value targets. The group’s adaptability, stealth, and persistence make it a dangerous adversary that is likely to continue targeting organizations worldwide.

Understanding this snake in the grass is the first step in avoiding its bite. By following the recommended security steps below, organizations can better protect their digital assets and ensure that their sensitive information remains secure.

Security Recommendations Against Turla

To defend against Turla and other sophisticated threat actors, organizations should take the following steps:

  • To defend against Turla and similar APTs, organizations should adopt a proactive approach that includes Cyber Threat Intelligence (CTI). CTI involves the collection and analysis of information about potential or current attacks threatening an organization and industry.
  • Implementing security awareness training to employees, focusing on the tactics and techniques used by Turla and other APT groups to help users identify and report suspicious content.
  • Employ the latest intrusion detection and prevention systems (IDS/IPS) and Endpoint Detection and Response (EDR) solutions to monitor network traffic and endpoint behavior for signs of malicious activity. Block access to known malicious domains, hosts, and IP addresses.”
  • Regularly patch and update software to minimize the attack surface and reduce the risk of exploitation.
  • Implement “multi-factor authentication (MFA)” and strong password policies to protect user accounts from unauthorized access.
  • Establish a comprehensive incident response plan and practice it regularly to ensure that your organization is prepared to respond effectively in the event of a breach.

By implementing these measures and staying informed about the latest developments in cyber threat intelligence, organizations can better protect themselves against the ever-evolving threat landscape posed by Turla and other advanced persistent threat groups.

Turla Group’s Threat Actor page in Threat Actor/Malware panel in SOCRadar’s CTI Module (Source: SOCRadar)
ID ID Name
T1134 .002 Access Token Manipulation: Create Process with Token
T1087 .001 Account Discovery: Local Account
T1087 .002 Account Discovery: Domain Account
T1583 .006 Acquire Infrastructure: Web Services
T1071 .001 Application Layer Protocol: Web Protocols
T1071 .003 Application Layer Protocol: Mail Protocols
T1560 .001 Archive Collected Data: Archive via Utility
T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547 .004 Boot or Logon Autostart Execution: Winlogon Helper DLL
T1110 .001 Brute Force
T1059 .001 Command and Scripting Interpreter: PowerShell
T1059 .003 Command and Scripting Interpreter: Windows Command Shell
T1059 .005 Command and Scripting Interpreter: Visual Basic
T1059 .006 Command and Scripting Interpreter: Python
T1059 .007 Command and Scripting Interpreter: JavaScript
T1584 .003 Compromise Infrastructure: Virtual Private Server
T1584 .004 Compromise Infrastructure: Server
T1584 .006 Compromise Infrastructure: Web Services
T1555 .004 Credentials from Password Stores: Windows Credential Manager
T1213 Data from Information Repositories
T1005 Data from Local System
T1025 Data from Removable Media
T1140 Deobfuscate/Decode Files or Information
T1587 .001 Develop Capabilities: Malware
T1189 Drive-by Compromise
T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1546 .013 Event Triggered Execution: PowerShell Profile
T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1068 Exploitation for Privilege Escalation
T1083 File and Directory Discovery
T1615 Group Policy Discovery
T1562 .001 Impair Defenses: Disable or Modify Tools
T1105 Ingress Tool Transfer
T1570 Lateral Tool Transfer
T1112 Modify Registry
T1106 Native API
T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools
T1027 .010 Obfuscated Files or Information: Command Obfuscation
T1027 .011 Obfuscated Files or Information: Fileless Storage
T1588 .001 Obtain Capabilities: Malware
T1588 .002 Obtain Capabilities: Tool
T1201 Password Policy Discovery
T1120 Peripheral Device Discovery
T1069 .001 Permission Groups Discovery: Local Groups
T1069 .002 Permission Groups Discovery: Domain Group
T1566 .002 Phishing: Spearphishing Link
T1057 Process Discovery
T1055 Process Injection
T1055 .001 Dynamic-link Library Injection
T1090 Proxy
T1090 .001 Internal Proxy
T1012 Query Registry
T1021 .002 Remote Services: SMB/Windows Admin Shares
T1018 Remote System Discovery
T1518 .001 Software Discovery: Security Software Discovery
T1553 .006 Subvert Trust Controls: Code Signing Policy Modification
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1016 .001 Internet Connection Discovery
T1049 System Network Connections Discovery
T1007 System Service Discovery
T1124 System Time Discovery
T1204 .001 User Execution: Malicious Link
T1078 .003 Valid Accounts: Local Accounts
T1102 Web Service
T1102 .002 Bidirectional Communication