ATK13

Presumed Origin: Russia < Back

Alias: Group 88, Hippo Team, Iron Hunter, KRYPTON, MAKERSMARK, Pacifier APT, Pfinet, Popeye, SIG23, Snake, TAG_0530, Turla, Turla Group, Turla Team, Uroburos, VENOMOUS Bear, WRAITH, Waterbug, WhiteBear

ATK13 (aka: Turla, Uroburos, Waterbug, Venomous Bear) is a cyber espionage threat actor active since at least 2008, when it breached the US Department of Defense. ATK13 is a Russian-speaking group and widely believed to be a Russian state-sponsored organization.

 

In 2015, Kaspersky described ATK13 as one of the "several elite APT groups have been using — and abusing — satellite links to manage their operations — most often, their C&C infrastructure". Indeed, while APT CnC servers are regularly taken down by authorities, satellite connexion hide the exact location of the servers. Satellite-based Internet receivers can be located anywhere within the area covered by a satellite, and this is generally quite large. To do that, the attacker need to pay an expensive connexion ("full duplex satellite links can be very expensive: a simple duplex 1Mbit up/down satellite link may cost up to $7000 per week") or hijack the network traffic between the victim and the satellite operator that requires either exploitation of the satellite provider itself, or of another ISP on the way. The oldest sample found by Kaspersky that used a satellite connexion has been compiled in November 2007.

 

During 2018 and 2019, ATK13 continues to target governments and international organizations in multiple waves of attacks and continues to improve its tools. The most recent attack targeted an Iranian APT group called OilRig.

 

Turla's attack on one of Iran's most successful groups combines opportunism and international interests. It should be recalled that since 2014 and the annexation of the Crimea, Western pressures and the fall of the oil price have plunged Russia into recession. For this reason, Russia has moved closer to Saudi Arabia, whose alliance with the United States had weakened under the Obama era in the alder of the Iranian nuclear agreement, supported by the former US President. It seems that the change in American diplomatic line since the election of Donald Trump has not diverted Saudi Arabia from this alliance. This rapprochement of interests is denounced by Iran, most recently at the OPEC meeting in Vienna in July 2019. The reason for the tension is also economic as both countries are positioning themselves to address the European gas market.  

 

 

REFERENCES

Target sector

  • Aerospace
  • Defense
  • Education
  • Government and administration agencies
  • High-Tech
  • International Organizations
  • Military
  • Political Organizations
  • Research

Target countries

  • Afghanistan
  • Belarus
  • Belgium
  • Finland
  • France
  • Germany
  • India
  • Iran, Islamic Republic Of
  • Iraq
  • Italy
  • Jordan
  • Kazakhstan
  • Netherlands
  • Poland
  • Romania
  • Russian Federation
  • Saudi Arabia
  • Tajikistan
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America
  • Uzbekistan

Attack pattern

  • T1004 - Winlogon Helper DLL
  • T1007 - System Service Discovery
  • T1011 - Exfiltration Over Other Network Medium
  • T1012 - Query Registry
  • T1016 - System Network Configuration Discovery
  • T1018 - Remote System Discovery
  • T1049 - System Network Connections Discovery
  • T1055 - Process Injection
  • T1057 - Process Discovery
  • T1060 - Registry Run Keys / Startup Folder
  • T1066 - Indicator Removal from Tools
  • T1071 - Standard Application Layer Protocol
  • T1077 - Windows Admin Shares
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1086 - PowerShell
  • T1102 - Web Service
  • T1105 - Remote File Copy
  • T1110 - Brute Force
  • T1124 - System Time Discovery
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1204 - User Execution
  • T1555.004 - Windows Credential Manager

Motivation

  • Espionage

Malwares

  • Agent.btz
  • Carbon
  • ComRAT
  • Crutch
  • Epic
  • Gazer
  • Kazuar
  • KopiLuwak
  • Mimikatz
  • Mosquito
  • Neptun
  • Tinyturla
  • Turla Outlook backdoor
  • Uroburos

Vulnerabilities

  • CVE-2009-3129
  • CVE-2012-1723
  • CVE-2012-4681
  • CVE-2013-2729
  • CVE-2013-3346
  • CVE-2013-5065