Examining the Activities of the Turla APT Group

This article surveys Turla, a long-running Russian APT, detailing its evolving toolkit and the MITRE techniques linked to campaigns from 2014 to 2023. It highlights multi-stage attacks, Linux and Windows backdoors, watering holes, phishing, and C2 methods, including Capibar, Kazuar, Gazer, Crutch, and TinyTurla.
#Turla #EpicTurla #PenguinTurla #Gazer #Kazuar #Crutch #Capibar #TinyTurla

Keypoints

Turla is a long-running, sophisticated APT believed to operate since at least 2004 with a global footprint targeting government, military, and related sectors.
The group employs a modular toolkit (backdoors like Carbon, Cobra, Kazuar, Gazer, Crutch, Capibar, TinyTurla) and satellite-based C2 to evade detection.
Epic Turla (2014) used multi-stage attacks combining CVEs and watering-hole/ spear-phishing techniques with backdoors such as Carbon and Cobra.
Turla expanded to Linux with Penguin Turla (2014), showing cross‑platform capabilities beyond Windows.
Across years, Turla has leveraged phishing, watering holes, backdoors, DLL hijacking, credential theft, and data exfiltration via multiple channels (including email and cloud storage).
In 2022–2023, Turla continued reconnaissance and espionage, notably the Capibar/Kazuar campaign targeting Ukrainian assets and diplomatic/military organizations.

MITRE Techniques

[T1189] Drive-by Compromise – The August 2014 Epic Turla campaign leveraged drive-by infection via watering holes and Java exploits. ‘the attacks, which exploited the vulnerabilities CVE-2013-5065 and CVE-2013-3346, employed spear-phishing emails that used Adobe PDF exploits and watering-hole techniques that used Java exploits (CVE-2012-1723)’
[T1566] Phishing – The Epic Turla campaign used spear-phishing emails as part of initial access. ‘the attacks, which exploited the vulnerabilities CVE-2013-5065 and CVE-2013-3346… spear-phishing emails that used Adobe PDF exploits and watering-hole techniques’
[T1204.002] User Execution: Malicious File – Execution via user interaction as part of the Epic Turla campaign. ‘…User Execution: Malicious File’
[T1047] Windows Management Instrumentation – Kazuar-related activity includes WMI-based discovery/queries. ‘the tasklist command uses a Windows Management Instrumentation (WMI) query to obtain running process’
[T1547.009] Boot or Logon Autostart Execution: Shortcut Modification – Kazuar uses startup modifications to persist. ‘adds an LNK file to the Windows startup folder’
[T1010] Application Window Discovery – Kazuar includes application window discovery during discovery. ‘gathers information about opened windows’
[T1573] Encrypted Channel – Gazer relies on encrypted C2 channels. ‘Turla encrypts Gazer’s C&C server using its own library for 3DES and RSA’
[T1071] Application Layer Protocol – Capibar/Kazuar campaigns utilize application-layer channels for C2/exfiltration. ‘Application Layer Protocol’
[T1105] Ingress Tool Transfer – Capibar/Kazuar campaigns involve transfers of tools/assets for execution. ‘Ingress Tool Transfer’
[T1567] Exfiltration – Capibar/Kazuar include exfiltration actions via various channels. ‘Exfiltration’
[T1567.002] Exfiltration to Cloud Storage – Capibar campaigns exfiltrate to cloud storage (e.g., cloud services). ‘Exfiltration to Cloud Storage’
[T1027] Obfuscated Files or Information – Capibar includes obfuscation of data. ‘Obfuscated Files or Information’
[T1059] Command and Scripting Interpreter – Capibar/Kazuar use scripting interfaces during execution. ‘Command and Scripting Interpreter’
[T1036.004] Masquerading: Masquerade Task or Service – Crutch and TinyTurla use masquerading techniques. ‘Masquerade Task or Service’
[T1120] Peripheral Device Discovery – Crutch/TinyTurla show peripheral/device discovery aspects. ‘Peripheral Device Discovery’
[T1025] Data from Removable Media – Crutch collects data from removable media. ‘Data from Removable Media’
[T1074.001] Data Staged: Local Data Staging – Crutch stages data locally before exfiltration. ‘Data Staged: Local Data Staging’
[T1119] Automated Collection – Crutch automates collection routines. ‘Automated Collection’
[T1560.001] Archive Collected Data: Archive via Utility – Crutch archives collected data. ‘Archive Collected Data: Archive via Utility’
[T1008] Fallback Channels – Crutch uses fallback channels for C2. ‘Fallback Channels’
[T1082] System Information Discovery – Kazuar-related discovery includes system info. ‘System Information Discovery’
[T1069] Permission Groups Discovery – Capibar/Kazuar include discovery of permissions groups. ‘Permission Groups Discovery’
[T1033] System Owner/User Discovery – Capibar/Kazuar include system user discovery. ‘System Owner/User Discovery’
[T1083] File and Directory Discovery – Capibar/Kazuar include file/directory discovery. ‘File and Directory Discovery’
[T1135] Network Share Discovery – Capibar/Kazuar include network share discovery. ‘Network Share Discovery’
[T1016] System Network Configuration Discovery – Capibar/Kazuar include network config discovery. ‘System Network Configuration Discovery’

May: ComRAT v4

[T1059] Command and Scripting Interpreter – ComRAT v4 uses scripting/interpreter commands. ‘Command and Scripting Interpreter’
[T1053] Scheduled Task/Job – Persistence via scheduled tasks. ‘Scheduled Task/Job’
[T1055] Process Injection – Defense evasion via process injection. ‘Process Injection’
[T1112] Modify Registry – Registry modification for persistence/evading defenses. ‘Modify Registry’
[T1027] Obfuscated Files or Information – Obfuscation in Capibar/Kazuar tooling. ‘Obfuscated Files or Information’
[T1071] Application Layer Protocol / T1102 Web Service – C2 over web services. ‘Web Service’
[T1041] Exfiltration Over C2 Channel – Exfiltration over C2 channel. ‘Exfiltration Over C2 Channel’
[T1048] Exfiltration Over Alternative Protocol – Exfiltration via alternative protocols. ‘Exfiltration Over Alternative Protocol’

Indicators of Compromise

[CVE] vulnerability IDs – CVE-2013-5065, CVE-2013-3346, and CVE-2012-1723 (Epic Turla watering-hole and phishing campaigns)

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print