ATT&CK® Evaluations: Enterprise — Call for Participation with Turla (2023)

We are thrilled to announce Call for Participation for Round 5 of MITRE Engenuity ATT&CK® Evaluations: Enterprise, which is officially open now and closes on September 16, 2022. We expect another strong cohort this year, and are eager to engage with vendor participants, both new and existing. This round will focus on evaluating product capabilities against adversary behavior inspired by Turla (G0010) and be executed in Q1 of 2023. Contact us at evals@mitre-engenuity.org to learn more about this round.

Why Turla

Turla is an extremely unique adversary that the ATT&CK Evaluations team is thrilled to emulate. Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in over 45 countries. The group is known to target government agencies, diplomatic missions, military groups, research, and media organizations. [2] [3] Turla adopts novel and sophisticated techniques to maintain operational security, including the use of a distinctive command-and-control network in concert with their repertoire of using open source and in-house tools. [4] [5] Turla is known for their targeted intrusions and innovative stealth. After establishing a foothold and conducting victim enumeration, Turla persists with a minimal footprint through in-memory or kernel implants. Turla executes highly targeted campaigns aimed at exfiltrating sensitive information from Linux and Windows infrastructure.[2] [3]

What to Look For

Over the next month you can expect the ATT&CK Evaluations team to deliver:

1. A technique scope, which is the representation of every technique that may be included in this emulation plan
2. A summary of the Detection Categories that can be expected during this Evaluation consistent with the Detection Categories that we highlighted in Round 4
3. A more detailed schedule that maps out the calendar for this round

If this is your first-time hearing about ATT&CK Evaluations, visit our website for more information about our overall process. For reference, scheduling priority is set by the order in which contracts are signed and the last day for signing is September 16, 2022.

Community Contributions

We would also like to send a big thank you to our fantastic community who sent CTI contributions for Wizard Spider and Sandworm for our last round. Similarly, we are excited to extend the opportunity to contribute for this upcoming round for Turla (G0010). If you are interested in contributing, please follow these steps:

• Email us at evals@mitre-engenuity.org with your contribution (If you’d prefer secure means, email us at the above address, and we’ll get back to you with a secure sharing method). Your real name must be included for your information to be considered. Contributions from company accounts may add to the credibility of the information, but we are always happy to accept contributions from independent researchers.
• We are looking for information about the group behaviors as well as the overall way they perform intrusions. Information structured using ATT&CK tactics and/or techniques is helpful, but not required.
• Tell us how you would like to be credited. You can choose to be credited with your name and/or company name, or alternatively, you can choose to remain anonymous. For any anonymous contributors, we will work with you to produce a short statement about the general visibility you have that led to you having access to the information.
• We will not accept any leaked, proprietary, or sensitive information that was not released with the permission of the original source. Contributions are strictly on a voluntary basis for researchers and analysts who wish to share their own information.

During the remainder of this year, we will put more content out via this Medium. To stay tuned for updates on this round and more, we encourage you to follow this account for notifications or reach out to us at evals@mitre-engenuity.org to explore this or other evaluation programs.