Open in app

Sign in

Write

Sign in

Attack Flow for Turla

Lauren Parker
MITRE-Engenuity

--

MITRE Engenuity’s Center for Threat-Informed Defense and ATT&CK Evaluations have collaborated to release Attack Flow for Turla. The attack flow focuses on the adversary emulated during the 5th round of Enterprise Evaluations (2023) and combines elements of the emulation plan and the evaluation criteria to create a comprehensive diagram of the incident. You’ll be able to use the attack flow to learn about some of Turla’s tactics, techniques, and procedures (TTPs) and the corresponding infrastructure used during the Enterprise Round 5 Evaluation.

What is Attack Flow?

Attack Flow is a common language for portraying complex, varying incidents and attackers. It highlights the dependencies and conditions between attack techniques, enabling defenders to focus on sequences of behaviors that lead to the adversary’s goal. The Attack Flow language incorporates STIX objects and supports the following use cases: threat intelligence, defensive posture, executive communications, incident response, adversary emulation, and threat hunting. The Attack Flow builder allows users to easily visualize an adversary and their behaviors. With this, defenders can understand how incidents occur and how adversaries operate to improve their own defensive posture.

Attack Flow 2.1 is our most recent release, and includes several new features. To contribute to the Attack Flow project or provide feedback, please review the GitHub repository.

What are ATT&CK Evaluations?

Since 2018, MITRE ATT&CK Evaluations has worked with vendors to evaluate their cybersecurity products against various threat groups. For each round, adversaries are chosen based on industry trends and vulnerabilities, the relevancy of threat actor TTPs to EDR and managed service vendors, and availability of open-source reporting. The purpose of ATT&CK Evaluations is to secure organizations against known threats through:

  • Objective insight into how participating security products perform against the known threat;
  • Transparency on the capabilities of participating security products; and
  • Encouraging participating vendors to improve their product’s capabilities to counteract the current threat environment.

All methodologies and results from the evaluations are publicly released and demonstrate how various security products detect techniques from the MITRE ATT&CK framework.

Who is Turla?

Turla, also known as Venomous Bear, is a sophisticated, Russian-based threat group with ties to the Russian Federal Security Service (FSB). They have been active since the early-2000s and have infected victims across 50 countries spanning multiple sectors, including government, military, education, and research. They are known to utilize novel techniques and custom tools to maintain persistence with a minimal footprint. Turla was chosen for MITRE ATT&CK Evaluations Round 5 due to their relevancy, unique challenges, and breadth of reporting. Specific details behind choosing Turla are outlined in this MITRE Engenuity blog post.

How did we get here?

MITRE ATT&CK Evaluations are released with the evaluation criteria, mapped to MITRE ATT&CK techniques, and the Adversary Emulation Library. In conjunction with these results, MITRE Engenuity is releasing 2 attack flows (surprise!), one for each scenario used during the evaluation. The attack flows are based on the evaluation criteria, informed by CTI intelligence and the emulation plan. The first attack flow diagrams the Day 1 scenario — Turla using EPIC, CARBON, and PENQUIN malware to target Windows and Linux systems and establish a watering hole. The second attack flow shows the Day 2 scenario — Turla using EPIC, SNAKE, and LIGHTNEURON malware for kernel and Microsoft Exchange exploitation. The flows incorporate Turla’s actions and techniques used during the evaluation and additional actions and infrastructure required by our development team for a successful emulation. Each flow highlights the dependencies between different behaviors to show how Turla achieved persistence and exfiltrated information.

Who can benefit from the Turla attack flows?

Everyone! Anyone who is reviewing the Enterprise Round 5 Evaluation results, or interested in learning more about how Turla operates, could benefit from the Turla attack flows. The attack flows display a comprehensive overview of the evaluation, which could prove useful while readers are reviewing the in-depth information for each sub-step of the evaluation. The overview reminds the reader how certain actions were able to happen (their dependencies) and where they occurred in the overall incident. Separate from the evaluation results, the attack flows show a subset of malware and techniques used by Turla. Defenders can use this information to ensure their products and environments are prepared to protect against Turla, even if they didn’t participate in the Enterprise evaluations. The intuitive format of the attack flows seeks to inform the reader about how Turla behaves so defenders and organizations will be better prepared to protect against this threat.

Day 1 Attack Flow: CARBON scenario

Day 2 Attack Flow: SNAKE scenario

© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number AT0055.

--

--

Lauren Parker
MITRE-Engenuity

Written by Lauren Parker

6 Followers
Writer for

Lauren Parker is a Senior Cyber Security Engineer at MITRE. She has a background in Digital Forensics, Threat Hunting, and Malware Analysis.