Rule of the Week: Turla Group

Turla APT has been operating since 2004 conducting cyberespionage campaigns targeted at spanning a range of industries including government, embassies, military, education, research, and pharmaceutical companies in Europe, the Middle East, Asia, and South America. This is one of the most advanced Russian state-sponsored threat actors that is known for its sophisticated tools and unusual ideas during attacks. The group is notorious for resonant operations and advanced malware, such as the hijacking infrastructure of the Iranian APT group to conduct their own operation or LightNeuron backdoor that completely controls traffic on the infected server including email interception. 

Watering hole attacks and spearphishing campaigns are the most characteristic of this group. The arsenal of the group is aimed at compromising Windows systems, but they also use tools against macOS and Linux machines. Turla’s TTPs are largely unchanged, so you can learn more about techniques and tools used by this group in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/

Exclusive threat hunting rule by Ariel Millahuel is based on latest observed campaigns of Turla APT and helps to uncover the group’s activity on Windows systems: https://tdm.socprime.com/tdm/info/dUqVvAkwxPTB/L-YRW3IBv8lhbg_iue9J/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK:

Tactics: Defense Evasion, Execution, Persistence, Privilege Escalation

Techniques: Modify Registry (T1112), Scheduled Task (T1056), User Execution (T1204) 


More detection content to spot various tools used by Turla APT: https://tdm.socprime.com/?dateFrom=0&dateTo=0&searchProject=content&searchType=tags&searchSubType=custom&searchQueryFeatures=false&searchValue=turla