Turla
Aliases: IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.
Open interactive actor investigation
ATT&CK techniques
T1584.006
Web ServicesT1112
Modify RegistryT1069.001
Local GroupsT1140
Deobfuscate/Decode Files or InformationT1588.002
ToolT1059.007
JavaScriptT1134.002
Create Process with TokenT1562.001
Disable or Modify ToolsT1059.005
Visual BasicT1546.013
PowerShell ProfileT1583.006
Web ServicesT1055.001
Dynamic-link Library InjectionT1105
Ingress Tool TransferT1555.004
Windows Credential ManagerT1090
ProxyT1068
Exploitation for Privilege EscalationT1615
Group Policy DiscoveryT1049
System Network Connections DiscoveryT1106
Native APIT1071.003
Mail ProtocolsT1021.002
SMB/Windows Admin SharesT1547.001
Registry Run Keys / Startup FolderT1005
Data from Local SystemT1012
Query RegistryT1007
System Service DiscoveryT1110
Brute ForceT1570
Lateral Tool TransferT1189
Drive-by CompromiseT1584.004
ServerT1087.002
Domain AccountT1564.012
File/Path ExclusionsT1120
Peripheral Device DiscoveryT1567.002
Exfiltration to Cloud StorageT1102.002
Bidirectional CommunicationT1071.001
Web ProtocolsT1124
System Time DiscoveryT1087.001
Local AccountT1204.001
Malicious LinkT1090.001
Internal ProxyT1546.003
Windows Management Instrumentation Event SubscriptionT1560.001
Archive via UtilityT1059.003
Windows Command ShellT1057
Process DiscoveryT1016
System Network Configuration DiscoveryT1587.001
MalwareT1025
Data from Removable MediaT1518.001
Security Software DiscoveryT1059.001
PowerShellT1027.010
Command ObfuscationT1059.006
PythonT1213
Data from Information RepositoriesT1018
Remote System DiscoveryT1588.001
MalwareT1069.002
Domain GroupsT1027.011
Fileless StorageT1547.004
Winlogon Helper DLLT1553.006
Code Signing Policy ModificationT1566.002
Spearphishing LinkT1016.001
Internet Connection DiscoveryT1102
Web ServiceT1082
System Information DiscoveryT1584.003
Virtual Private ServerT1036.005
Match Legitimate Name or LocationT1055
Process InjectionT1078.003
Local AccountsT1201
Password Policy DiscoveryT1083
File and Directory DiscoveryT1027.005
Indicator Removal from ToolsT1566.001
Spearphishing Attachment
Web ServicesT1112
Modify RegistryT1069.001
Local GroupsT1140
Deobfuscate/Decode Files or InformationT1588.002
ToolT1059.007
JavaScriptT1134.002
Create Process with TokenT1562.001
Disable or Modify ToolsT1059.005
Visual BasicT1546.013
PowerShell ProfileT1583.006
Web ServicesT1055.001
Dynamic-link Library InjectionT1105
Ingress Tool TransferT1555.004
Windows Credential ManagerT1090
ProxyT1068
Exploitation for Privilege EscalationT1615
Group Policy DiscoveryT1049
System Network Connections DiscoveryT1106
Native APIT1071.003
Mail ProtocolsT1021.002
SMB/Windows Admin SharesT1547.001
Registry Run Keys / Startup FolderT1005
Data from Local SystemT1012
Query RegistryT1007
System Service DiscoveryT1110
Brute ForceT1570
Lateral Tool TransferT1189
Drive-by CompromiseT1584.004
ServerT1087.002
Domain AccountT1564.012
File/Path ExclusionsT1120
Peripheral Device DiscoveryT1567.002
Exfiltration to Cloud StorageT1102.002
Bidirectional CommunicationT1071.001
Web ProtocolsT1124
System Time DiscoveryT1087.001
Local AccountT1204.001
Malicious LinkT1090.001
Internal ProxyT1546.003
Windows Management Instrumentation Event SubscriptionT1560.001
Archive via UtilityT1059.003
Windows Command ShellT1057
Process DiscoveryT1016
System Network Configuration DiscoveryT1587.001
MalwareT1025
Data from Removable MediaT1518.001
Security Software DiscoveryT1059.001
PowerShellT1027.010
Command ObfuscationT1059.006
PythonT1213
Data from Information RepositoriesT1018
Remote System DiscoveryT1588.001
MalwareT1069.002
Domain GroupsT1027.011
Fileless StorageT1547.004
Winlogon Helper DLLT1553.006
Code Signing Policy ModificationT1566.002
Spearphishing LinkT1016.001
Internet Connection DiscoveryT1102
Web ServiceT1082
System Information DiscoveryT1584.003
Virtual Private ServerT1036.005
Match Legitimate Name or LocationT1055
Process InjectionT1078.003
Local AccountsT1201
Password Policy DiscoveryT1083
File and Directory DiscoveryT1027.005
Indicator Removal from ToolsT1566.001
Spearphishing Attachment
Correlated CTI and IR reports
1. Executive Summary
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionIOC Tables — MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mention
Israel Threat Actors CTI · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionIOC Tables — MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mention