Bringing cybersecurity globally to critical and complex key activities
Alias: Group 88, Hippo Team, Iron Hunter, KRYPTON, MAKERSMARK, Pacifier APT, Pfinet, Popeye, SIG23, Snake, TAG_0530, Turla, Turla Group, Turla Team, Uroburos, VENOMOUS Bear, WRAITH, Waterbug, WhiteBear
ATK13 (aka: Turla, Uroburos, Waterbug, Venomous Bear) is a cyber espionage threat actor active since at least 2008, when it breached the US Department of Defense. ATK13 is a Russian-speaking group and widely believed to be a Russian state-sponsored organization.
In 2015, Kaspersky described ATK13 as one of the "several elite APT groups have been using — and abusing — satellite links to manage their operations — most often, their C&C infrastructure". Indeed, while APT CnC servers are regularly taken down by authorities, satellite connexion hide the exact location of the servers. Satellite-based Internet receivers can be located anywhere within the area covered by a satellite, and this is generally quite large. To do that, the attacker need to pay an expensive connexion ("full duplex satellite links can be very expensive: a simple duplex 1Mbit up/down satellite link may cost up to $7000 per week") or hijack the network traffic between the victim and the satellite operator that requires either exploitation of the satellite provider itself, or of another ISP on the way. The oldest sample found by Kaspersky that used a satellite connexion has been compiled in November 2007.
During 2018 and 2019, ATK13 continues to target governments and international organizations in multiple waves of attacks and continues to improve its tools. The most recent attack targeted an Iranian APT group called OilRig.
Turla's attack on one of Iran's most successful groups combines opportunism and international interests. It should be recalled that since 2014 and the annexation of the Crimea, Western pressures and the fall of the oil price have plunged Russia into recession. For this reason, Russia has moved closer to Saudi Arabia, whose alliance with the United States had weakened under the Obama era in the alder of the Iranian nuclear agreement, supported by the former US President. It seems that the change in American diplomatic line since the election of Donald Trump has not diverted Saudi Arabia from this alliance. This rapprochement of interests is denounced by Iran, most recently at the OPEC meeting in Vienna in July 2019. The reason for the tension is also economic as both countries are positioning themselves to address the European gas market.
REFERENCES
Malpedia, Turla group
MITRE ATT&CK, Group: Turla, Waterbug, WhiteBear
Los Angeles Times, 28/11/2008, Pentagon computer networks attacked
30/11/2008, ThreatExpert, Agent.btz - A Threat That Hit Pentagon
The NewYork Times, 25/08/2010, Military Computer Attack Confirmed
G-Data, 28/02/2014, Uroburos - highly complex espionage software with Russian roots
BAE Systems, 02/2014, The Snake Campaign
Kaspersky, 12/03/2014, Agent.btz: a Source of Inspiration?
deresz@gmail.com & tecamac@gmail.com, 12/03/2014, Uroburos: the snake rootkit
Kaspersky, 07/08/2014, The Epic Turla Operation
Kaspersky, 08/12/2014, The ‘Penquin’ Turla - A Turla/Snake/Uroburos Malware for Linux
Kaspersky, 09/09/2015, Satellite Turla: APT Command and Control in the Sky
FireEye, 11/2015, PINPOINTING TARGETS: SECURITY REIMAGINED Exploiting Web Analytics to Ensnare Victims
Symantec, 14/01/2016, The Waterbug attack group
MELANI:GovCERT, 23/05/2016, APT Case RUAG
yle, 14/01/2016, Russian group behind 2013 Foreign Ministry hack
BitDefender, 30/06/2016, Pacifier APT
PassiveTotal, 17/08/2016, Snakes in the Satellites: On-going Turla Infrastructure
Kaspersky, 02/02/2017, KopiLuwak: A New JavaScript Payload from Turla
ESET, 30/03/2017, Carbon Paper: Peering into Turla’s second stage backdoor
PaloAlto, 03/05/2017, Kazuar: Multiplatform Espionage Backdoor with API Access
ESET, 06/06/2017, Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
ProofPoint, 17/08/2017, Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack
Kaspersky, 30/08/2017, Introducing WhiteBear
ESET, 30/08/2017, Gazing at Gazer - Turla’s new second stage backdoor
NCSC, 22/11/2017, Advisory: Turla group malware
ESET, 08/01/2018, Diplomats in Eastern Europe bitten by a Turla mosquito
NCSC, 18/01/2018, Turla group update Neuron malware
The Guardian, 01/03/2018, German government intranet under 'ongoing attack'
ESET, 22/05/2018, Turla Mosquito: A shift towards more generic tools
ESET, 22/08/2018, Turla Outlook Backdoor - Analysis of an unusual Turla backdoor
Kaspersky, 04/10/2018, Shedding Skin – Turla’s Fresh Faces
ESET, 07/05/2019, Turla LightNeuron: An email too far
ESET, 29/05/2019, A dive into Turla PowerShell usage
Symantec, 19/06/2019, Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
ESET, 12/03/2020, https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
Anomali, 17/03/2020, https://www.anomali.com/blog/weekly-threat-briefing-russian-apt-microsoft-smb-vulnerability-virgin-media-data-leak-and-more