ATT&CK® Evaluations Turla (2023): Exploring the Release Components and Navigating the New Visualizations

Written by Amy L. Robertson and Sonny Day.

The moment you’ve been waiting for has arrived — the results from the ATT&CK® Evaluations for Enterprise — Turla round are now available for exploration on the ATT&CK Evaluations website! You’ll also find the full Emulation Plan and all associated collateral readily accessible on the Adversary Emulation Library.

This round showcased Tactics, Techniques, and Procedures (TTPs) inspired by the Russian state-sponsored threat actor Turla. There were 29 participants in total, including robust coordination with four new participants. This round, 23 participants took part in Protections (the variant that assesses how effectively solutions block adversary activity across the post-compromise lifecycle). As always, our goal is to empower end-users with unbiased insights into the product capabilities that detect advanced adversary behaviors, while also collaborating with the participating vendors to evolve their products. We’re excited to have partnered with such a diverse group and are eager to share the findings and insights with the community.

Emulating Turla

Through the lens of the MITRE ATT&CK knowledge base, this round focused on adversary behavior inspired by Turla (G0010). Turla stands out as one of the most sophisticated threat actors, displaying tradecraft that is platform diverse, dynamic in stealth, and layered in persistence.

In operation since at least the early 2000s, Turla is a Russian-based threat group linked to the Russian Federal Security Service (FSB). Their reach has extended to infecting victims across more than 50 countries, with a primary focus on targeting government agencies, diplomatic missions, military entities, research and educational institutions, critical infrastructure sectors, and media organizations. Turla employs novel techniques and custom tooling to elude defenses and persist on target networks, including leveraging the complex “Snake” malware, that was recently disrupted by the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, the U.S. Cyber Command Cyber National Mission Force, and six other intelligence and cybersecurity agencies from each of the Five Eyes member nations. The threat group is also known for its adaptability and willingness to evolve behaviors and tools to achieve campaign objectives.

We chose Turla based on their innovative stealth, the relevancy of their activity to various sectors, and the breadth of open-source reporting on their tradecraft. The emulation represents how Turla achieves post-exploitation persistence with a minimal footprint through in-memory or kernel implants, evades detection by defensive tools, and exfiltrates sensitive information from Linux and Windows infrastructure.

This round focused on kernel and service level operations that often run with the same permissions as detection and protection products. We combined relevant TTPs from a number of Turla campaigns in our Emulation Plan to reflect the signature tradecraft of the group, leveraging open-source intelligence to ensure an accessible and reusable plan.

The emulation follows Turla’s multi-phase intelligence gathering campaign, targeting entities holding data relevant to the FSB.

• During phase one, Turla implants a watering hole on a frequently visited site as a way to compromise additional targets of interest. Turla gains initial access through a spearphishing email, then pivots from machine to machine, until the attackers arrive at a Linux Apache server where PENGUIN is copied to the server and used to install a watering hole.
• In phase two, the threat actors establish a typo-squatting website to target entities with high-value information. The victims are prompted to update their (Not)Flash, and in doing so, EPIC is installed on their network. The threat group then deploys SNAKE to maintain a foothold, elevate privileges with kernel access, and communicate to the C2, before moving laterally across the network to install LIGHTNERON to enable collection and staging for exfiltration. Turla then assembles and exfiltrates sensitive communications to inform counterintelligence mission objectives.

Drawing from Turla’s in-the-wild activity, the Emulation Plan incorporates the SNAKE malware, featuring privilege escalation via exploitation of a known vulnerability and defense evasion through a rootkit. Other widespread behaviors prevalently used in attacks include spearphishing, drive-by compromise, implant execution via remote scheduled task, lateral movement via PsExec and pass-the-hash, credential dumping, and exfiltration over email. Our technique scope was executed over multiple machines, providing an applicable Evaluation for enterprise environments that are targets for similar behavior by dynamically operating threat actors.

Release Components

For every Evaluation, we release a range of technical products on both the ATT&CK Evaluations website and on the Adversary Emulation Library. These resources are developed to enable you to effectively assess the results, understand our process, and recreate the emulation in your own environment:

ATT&CK Evaluations Website

• Results: each participants’ results from ATT&CK® Evaluations: Enterprise — Turla.
• Operational Flow: a diagram to describe the general operational flow of the Emulation Plan with some associated qualitative content to describe the scenario.
• Technique Scope: a MITRE ATT&CK Navigator representation of the specific techniques used in this emulation.
• Environment: an environment diagram representing the Turla range.
• Detection Categories: the assignment categories, of 6 different levels, that determine how detections occur for each sub-step (i.e., implementation of the specific technique-under-test) within the Emulation Plan.

Adversary Emulation Library

The technical collateral for this round is featured in the Adversary Emulation Library, and can be leveraged to understand, recreate, and defend against the adversary behaviors showcased in this Evaluation.

• Emulation Plan: the steps and sub-steps used in this Evaluation, linked to CTI reporting and mapped to ATT&CK.
• Binaries: the specific technical artifacts that you can leverage to recreate this emulation in your own environment.
• Infrastructure Setup: the technical details of the infrastructure utilized for each service provider that participated in this Evaluation.
• YARA Rules: signatures to help detect the activity described in the Emulation Plan.
• Caldera Port: an automated implementation of the Emulation Plan for use in your own environment.

Interacting with the Results: Now with Enhanced Visualization

For data-centric products such as ATT&CK Evaluations, prioritizing user-centered design is a paramount focus. With this round, we’re thrilled to unveil a newly reimagined design that was driven by a singular goal: empowering users to effortlessly harness our results with unwavering confidence. We’re dedicated to providing an experience that not only simplifies the process, but also ensures that our users can make informed decisions with ease and precision.

We want to thank all of our users, participants, the Community Advisor Board (CAB), and the Vendor Council (VC) members for their participation and input into our new results design.

Based on our research, our redesign focused on four main goals:

Show the results data in a simpler and more intuitive way

Through our research and interviews, we identified a common challenge: the results data could often appear fragmented and complex, posing difficulties for even the most seasoned subject matter experts.

To address this, our new design takes a user-centric approach by prominently featuring visual charts, which offer a concise and relevant summary of the results. This enhancement enables rapid interpretation for practitioners and decision-makers alike. The update also empowers those with a deeper curiosity to explore the more intricate details, all accessible from a single screen

Summarized chart view

Allow viewing multiple participants in one results view

Previously, if a user wanted to view multiple participants, a juggling act was needed to handle multiple browser windows, and different results pages, and even then, the experience could be clumsy.

Our new design continues the theme of minimizing context switching, enabling you to review up to three participant’s results in one results view.

Multiple participants in one view

Enable users to view results data through a lens of specificity

Dynamic filters have been added to the results to enable users to tailor their view to focus on specific tactics and techniques they find important or focus on a single step in the evaluation operational flow.

Viewing results for specific MITRE ATT&CK® tactics and techniques

Minimize context switching

Screenshots are now incorporated in-line with the results; you’ll no longer the need to open several windows in order to match up a screenshot, a data source, step detail, tactics, or techniques. The new design layout empowers users to view all this information with very little context switching.

Screenshots and evidence are now more easily navigated

We’re excited to unveil these new visualization updates for the results, and we hope you find them both informative and visually engaging. These enhancements aim to provide a more accessible and intuitive way to digest the insights from our Evaluations. We continuously strive to enhance the user experience with each round, so please stay tuned as we work on further improvements and explore innovative ways to enable you to better understand and defend against known adversary behaviors. User feedback is instrumental to this process, so we look forward to continuing on this journey with you.

Navigating the Results and Looking Forward

In the upcoming days, we’ll be publishing a separate blog post to provide our readers with more in-depth insights into exploring the Turla results. Keep an eye out for that deeper dive into the findings.

We hope as you review our data, as well the analyses released by others, you’ll prioritize the results that are most significant for your particular use case. We don’t designate winners, and remind one and all that there is no universally perfect way to view the data, or a silver bullet metric.

If you are interested in participating in a future ATT&CK Evaluation (whether that’s Enterprise, Managed Services or ICS!), please reach out to evals@mitre-engenuity.org.

User interface is subject to change without notice. Participants shown are fictitious for illustrative purposes only.