Turla

OriginRússia

Techniques (MITRE ATT&CK)68

SourceMITRE ATT&CK

Also known as:IRON HUNTERGroup 88WaterbugWhiteBearSnakeKryptonVenomous BearSecret BlizzardBELUGASTURGEON

Vexday analysis

Turla é um grupo de espionagem cibernética atribuído ao Serviço Federal de Segurança da Rússia (FSB), rastreado pelo MITRE ATT&CK sob o identificador G0010 e também conhecido pelos aliases IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake e Krypton. O grupo compromete vítimas em mais de 50 países desde pelo menos 2004, abrangendo setores como governo, embaixadas, forças militares, educação, pesquisa e indústria farmacêutica. Suas operações envolvem campanhas de watering hole e spearphishing, com uso de ferramentas e malwares próprios, como o Uroburos. Ao todo, 68 técnicas do framework MITRE ATT&CK são documentadas em associação ao grupo.

Techniques (MITRE ATT&CK) 68

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Resource development

Web Services Virtual Private Server Server Web Services Malware Malware Tool

Initial access

Drive-by Compromise Spearphishing Link

Execution

PowerShell Windows Command Shell Visual Basic Python JavaScript Native API Malicious Link

Persistence

Registry Run Keys / Startup Folder Winlogon Helper DLL

Privilege escalation

Exploitation for Privilege Escalation Windows Management Instrumentation Event Subscription PowerShell Profile

Credential access

Brute Force Windows Credential Manager

Discovery

System Service Discovery Query Registry System Network Configuration Discovery Internet Connection Discovery Remote System Discovery System Network Connections Discovery Process Discovery Local Groups Domain Groups System Information Discovery File and Directory Discovery Local Account Domain Account Peripheral Device Discovery System Time Discovery Password Policy Discovery Security Software Discovery Group Policy Discovery

Lateral movement

SMB/Windows Admin Shares Lateral Tool Transfer

Collection

Data from Local System Data from Removable Media Databases Archive via Utility

Command and control

Web Protocols Mail Protocols Proxy Internal Proxy Web Service Bidirectional Communication Ingress Tool Transfer

Exfiltration

Exfiltration to Cloud Storage

defense-impairment

Modify Registry Code Signing Policy Modification Disable or Modify Tools

stealth

Indicator Removal from Tools Command Obfuscation Fileless Storage Match Legitimate Resource Name or Location Process Injection Dynamic-link Library Injection Local Accounts Create Process with Token Deobfuscate/Decode Files or Information File/Path Exclusions

Exploited vulnerabilities

No CVEs attributed to this group in public sources (MITRE ATT&CK). Absence of attribution does not mean absence of activity.

Turla uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →