FlagThis

← All Threat Actors
Threat Actor Profile

Turla

ATK13 BELUGASTURGEON Blue Python G0010 Group 88 Hippo Team IRON HUNTER ITG12 KRYPTON MAKERSMARK Pacifier APT Pfinet Popeye Secret Blizzard SIG23 Snake SUMMIT TAG_0530 UAC-0003 UAC-0024 UAC-0144 UNC4210 Uroburos VENOMOUS Bear Waterbug WhiteBear WRAITH
▲ High Threat
A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'
Origin Russia
Sponsor Russian Federation
Motivation Espionage

Target Sectors

Government Military Government, Administration Education Electric Energy Health

Known TTPs

Web Services
Modify Registry
Local Groups
Deobfuscate/Decode Files or Information
Tool
JavaScript
Create Process with Token
Visual Basic
PowerShell Profile
Web Services
Dynamic-link Library Injection
Ingress Tool Transfer
Windows Credential Manager
Proxy
Exploitation for Privilege Escalation
Group Policy Discovery
System Network Connections Discovery
Native API
Mail Protocols
SMB/Windows Admin Shares
Registry Run Keys / Startup Folder
Data from Local System
Query Registry
System Service Discovery
Brute Force
Lateral Tool Transfer
Drive-by Compromise
Server
Domain Account
Disable or Modify Tools
File/Path Exclusions
Peripheral Device Discovery
Exfiltration to Cloud Storage
Bidirectional Communication
Web Protocols
System Time Discovery
Local Account
Malicious Link
Internal Proxy
Windows Management Instrumentation Event Subscription
Archive via Utility
Windows Command Shell
Process Discovery
System Network Configuration Discovery
Malware
Data from Removable Media
Security Software Discovery
PowerShell
Command Obfuscation
Python
Databases
Remote System Discovery
Malware
Domain Groups
Fileless Storage
Winlogon Helper DLL
Code Signing Policy Modification
Spearphishing Link
Internet Connection Discovery
Web Service
System Information Discovery
Virtual Private Server
Match Legitimate Resource Name or Location
Process Injection
Local Accounts
Password Policy Discovery
File and Directory Discovery
Indicator Removal from Tools

External Resources

MITRE ATT&CK ↗ CISA Advisories ↗ Mandiant Research ↗ Google Threat Intel ↗

Related Intelligence

Hacking the mainframe…
LINK COPIED TO CLIPBOARD