Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Turla
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Turla
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Turla

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)
ID: G0010
Associated Groups: Belugasturgeon, Krypton, Snake, Venomous Bear, Group 88, IRON HUNTER, Waterbug, WhiteBear
Version: 3.0
Created: 31 May 2017
Last Modified: 28 Sep 2022

Associated Group Descriptions
Name Description
Belugasturgeon (Citation: Accenture HyperStack October 2020)
Krypton (Citation: CrowdStrike VENOMOUS BEAR)
Snake (Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)(Citation: Talos TinyTurla September 2021)
Venomous Bear (Citation: CrowdStrike VENOMOUS BEAR)(Citation: Talos TinyTurla September 2021)
Group 88 (Citation: Leonardo Turla Penquin May 2020)
IRON HUNTER (Citation: Secureworks IRON HUNTER Profile)
Waterbug Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug)
WhiteBear WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)

Techniques Used
Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Turla RPC backdoors can impersonate or steal process tokens before executing commands.(Citation: ESET Turla PowerShell May 2019)

Enterprise T1087 .001 Account Discovery: Local Account

Turla has used net user to enumerate local accounts on the system.(Citation: ESET ComRAT May 2020)(Citation: ESET Crutch December 2020)
.002 Account Discovery: Domain Account

Turla has used net user /domain to enumerate domain accounts.(Citation: ESET ComRAT May 2020)

Enterprise T1583 .006 Acquire Infrastructure: Web Services

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.(Citation: ESET Crutch December 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Turla has used HTTP and HTTPS for C2 communications.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)
.003 Application Layer Protocol: Mail Protocols

Turla has used multiple backdoors which communicate with a C2 server via email attachments.(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.(Citation: Symantec Waterbug Jun 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.(Citation: ESET Turla Mosquito May 2018)(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019) Turla has also used PowerShell scripts to load and execute malware in memory.
.003 Command and Scripting Interpreter: Windows Command Shell

Turla RPC backdoors have used cmd.exe to execute commands.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)

.005 Command and Scripting Interpreter: Visual Basic

Turla has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019)

.006 Command and Scripting Interpreter: Python

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.(Citation: Unit 42 IronNetInjector February 2021 )

.007 Command and Scripting Interpreter: JavaScript

Turla has used various JavaScript-based backdoors.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1584 .003 Compromise Infrastructure: Virtual Private Server

Turla has used the VPS infrastructure of compromised Iranian threat actors.(Citation: NSA NCSC Turla OilRig)
.004 Compromise Infrastructure: Server

Turla has used compromised servers as infrastructure.(Citation: Recorded Future Turla Infra 2020)(Citation: Accenture HyperStack October 2020)(Citation: Talos TinyTurla September 2021)

.006 Compromise Infrastructure: Web Services

Turla has frequently used compromised WordPress sites for C2 infrastructure.(Citation: Recorded Future Turla Infra 2020)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Turla has gathered credentials from the Windows Credential Manager tool.(Citation: Symantec Waterbug Jun 2019)

Enterprise T1587 .001 Develop Capabilities: Malware

Turla has developed its own unique malware for use in operations.(Citation: Recorded Future Turla Infra 2020)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Turla has used WMI event filters and consumers to establish persistence.(Citation: ESET Turla PowerShell May 2019)
.013 Event Triggered Execution: PowerShell Profile

Turla has used PowerShell profiles to maintain persistence on an infected machine.(Citation: ESET Turla PowerShell May 2019)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Turla has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019) Turla has also exfiltrated stolen files to OneDrive and 4shared.(Citation: ESET ComRAT May 2020)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.(Citation: ESET Turla PowerShell May 2019)
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.(Citation: ESET Gazer Aug 2017)
Enterprise T1588 .001 Obtain Capabilities: Malware

Turla has used malware obtained after compromising other threat actors, such as OilRig.(Citation: NSA NCSC Turla OilRig)(Citation: Recorded Future Turla Infra 2020)
.002 Obtain Capabilities: Tool

Turla has obtained and customized publicly-available tools like Mimikatz.(Citation: Symantec Waterbug Jun 2019)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.(Citation: ESET ComRAT May 2020)
.002 Permission Groups Discovery: Domain Groups

Turla has used net group "Domain Admins" /domain to identify domain administrators.(Citation: ESET ComRAT May 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Turla has used spearphishing emails to deliver BrainTest as a malicious attachment.(Citation: ESET Carbon Mar 2017)
.002 Phishing: Spearphishing Link

Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.(Citation: ESET Turla Mosquito May 2018)(Citation: Github Rapid7 Meterpreter Elevate)
Enterprise T1090 .001 Proxy: Internal Proxy

Turla has compromised internal network systems to act as a proxy to forward traffic to C2.(Citation: Talos TinyTurla September 2021)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Turla used net use commands to connect to lateral systems within a network.(Citation: Kaspersky Turla)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.(Citation: ESET ComRAT May 2020)
Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

Turla has used tracert to check internet connectivity.(Citation: ESET ComRAT May 2020)
Enterprise T1204 .001 User Execution: Malicious Link

Turla has used spearphishing via a link to get users to download and run their malware.(Citation: ESET Turla Mosquito Jan 2018)
Enterprise T1078 .003 Valid Accounts: Local Accounts

Turla has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutch December 2020)
Enterprise T1102 .002 Web Service: Bidirectional Communication

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)

Software
ID Name References Techniques
S0039 Net (Citation: Kaspersky Turla) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0160 certutil (Citation: Symantec Waterbug Jun 2019) (Citation: TechNet Certutil) Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0668 TinyTurla (Citation: Talos TinyTurla September 2021) Asymmetric Cryptography, Native API, Match Legitimate Name or Location, Service Execution, Modify Registry, Windows Command Shell, Ingress Tool Transfer, Masquerade Task or Service, Scheduled Transfer, Query Registry, Fallback Channels, Data from Local System, Web Protocols
S0537 HyperStack (Citation: Accenture HyperStack October 2020) Default Accounts, Native API, Inter-Process Communication, Modify Registry, Symmetric Cryptography, Local Account
S0057 Tasklist (Citation: Kaspersky Turla) (Citation: Microsoft Tasklist) Process Discovery, System Service Discovery, Security Software Discovery
S0099 Arp (Citation: Kaspersky Turla) (Citation: TechNet Arp) Remote System Discovery, System Network Configuration Discovery
S0363 Empire (Citation: EmPyre) (Citation: ESET Crutch December 2020) (Citation: ESET Turla August 2018) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0104 netstat (Citation: Kaspersky Turla) (Citation: TechNet Netstat) System Network Connections Discovery
S0265 Kazuar (Citation: Talos TinyTurla September 2021) (Citation: Unit 42 Kazuar May 2017) Registry Run Keys / Startup Folder, Ingress Tool Transfer, Data Destruction, File Deletion, Obfuscated Files or Information, Standard Encoding, Process Discovery, File and Directory Discovery, System Owner/User Discovery, Internal Proxy, Local Groups, Video Capture, Unix Shell, Dynamic-link Library Injection, File Transfer Protocols, Windows Service, System Information Discovery, Bidirectional Communication, Fallback Channels, Web Protocols, Application Window Discovery, Screen Capture, Scheduled Transfer, Local Account, Local Data Staging, Data from Local System, System Network Configuration Discovery, Windows Management Instrumentation, Shortcut Modification, Windows Command Shell
S0091 Epic (Citation: Kaspersky Turla) (Citation: Secureworks IRON HUNTER Profile) (Citation: TadjMakhal) (Citation: Tavdig) (Citation: Wipbot) (Citation: WorldCupSec) Query Registry, Process Discovery, Web Protocols, System Owner/User Discovery, System Time Discovery, File and Directory Discovery, File Deletion, System Information Discovery, System Network Connections Discovery, Remote System Discovery, Archive via Library, Extra Window Memory Injection, Code Signing, Local Account, Archive Collected Data, Local Groups, Symmetric Cryptography, System Network Configuration Discovery, System Service Discovery, Security Software Discovery, Obfuscated Files or Information
S0395 LightNeuron (Citation: ESET LightNeuron May 2019) (Citation: Secureworks IRON HUNTER Profile) File Deletion, Mail Protocols, Scheduled Transfer, Automated Exfiltration, Exfiltration Over C2 Channel, Obfuscated Files or Information, Steganography, Deobfuscate/Decode Files or Information, Archive Collected Data, Match Legitimate Name or Location, Remote Email Collection, System Information Discovery, Ingress Tool Transfer, Automated Collection, Symmetric Cryptography, Local Data Staging, Windows Command Shell, Data from Local System, Transmitted Data Manipulation, System Network Configuration Discovery, Native API, Transport Agent
S0168 Gazer (Citation: ESET Crutch December 2020) (Citation: ESET Gazer Aug 2017) (Citation: Securelist WhiteBear Aug 2017) (Citation: WhiteBear) Winlogon Helper DLL, Timestomp, Asymmetric Cryptography, Registry Run Keys / Startup Folder, Web Protocols, Shortcut Modification, File Deletion, Thread Execution Hijacking, Process Injection, Ingress Tool Transfer, Symmetric Cryptography, Screensaver, Code Signing, System Owner/User Discovery, NTFS File Attributes, Obfuscated Files or Information, Scheduled Task
S0096 Systeminfo (Citation: Kaspersky Turla) (Citation: TechNet Systeminfo) System Information Discovery
S0022 Uroburos (Citation: Kaspersky Turla) Software Packing, Rootkit
S0538 Crutch (Citation: ESET Crutch December 2020) (Citation: Talos TinyTurla September 2021) Archive via Utility, Peripheral Device Discovery, Bidirectional Communication, Web Protocols, Scheduled Task, Exfiltration to Cloud Storage, Data from Removable Media, Masquerade Task or Service, DLL Search Order Hijacking, Automated Exfiltration, Automated Collection, Data from Local System, Fallback Channels, Local Data Staging, Exfiltration Over C2 Channel
S0256 Mosquito (Citation: ESET Turla Mosquito Jan 2018) (Citation: ESET Turla Mosquito May 2018) (Citation: Secureworks IRON HUNTER Profile) Windows Management Instrumentation, System Owner/User Discovery, Rundll32, File Deletion, Symmetric Cryptography, Security Software Discovery, PowerShell, Modify Registry, Ingress Tool Transfer, Component Object Model Hijacking, Obfuscated Files or Information, Process Discovery, System Network Configuration Discovery, Windows Command Shell, Registry Run Keys / Startup Folder, Native API
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: ESET Turla Mosquito May 2018) (Citation: Symantec Waterbug Jun 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0581 IronNetInjector (Citation: Unit 42 IronNetInjector February 2021 ) Python, Process Discovery, Process Injection, Masquerade Task or Service, Scheduled Task, Deobfuscate/Decode Files or Information, Dynamic-link Library Injection, Obfuscated Files or Information
S0102 nbtstat (Citation: Kaspersky Turla) (Citation: TechNet Nbtstat) System Network Configuration Discovery, System Network Connections Discovery
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0335 Carbon (Citation: ESET Carbon Mar 2017) (Citation: Securelist Turla Oct 2018) (Citation: Secureworks IRON HUNTER Profile) Scheduled Task, Web Service, Commonly Used Port, System Network Connections Discovery, Query Registry, Permission Groups Discovery, System Time Discovery, System Network Configuration Discovery, Local Data Staging, Windows Service, Asymmetric Cryptography, Deobfuscate/Decode Files or Information, Exfiltration Over Unencrypted Non-C2 Protocol, Remote System Discovery, Web Protocols, Obfuscated Files or Information, Non-Application Layer Protocol, Dynamic-link Library Injection, Process Discovery
S0075 Reg (Citation: Kaspersky Turla) (Citation: Microsoft Reg) (Citation: Windows Commands JPCERT) Credentials in Registry, Query Registry, Modify Registry
S0587 Penquin (Citation: Kaspersky Turla Penquin December 2014) (Citation: Leonardo Turla Penquin May 2020) (Citation: Penquin 2.0) (Citation: Penquin_x64) Unix Shell, System Network Configuration Discovery, Traffic Signaling, Match Legitimate Name or Location, Ingress Tool Transfer, Cron, Network Sniffing, Asymmetric Cryptography, Indicator Removal from Tools, Linux and Mac File and Directory Permissions Modification, Exfiltration Over C2 Channel, Socket Filters, Non-Application Layer Protocol, File and Directory Discovery, System Information Discovery, File Deletion, Obfuscated Files or Information
S0126 ComRAT (Citation: ESET ComRAT May 2020) (Citation: NorthSec 2015 GData Uroburos Tools) (Citation: Secureworks IRON HUNTER Profile) (Citation: Symantec Waterbug) (Citation: Unit 42 IronNetInjector February 2021 ) Mail Protocols, Hidden File System, Web Protocols, Scheduled Task, Asymmetric Cryptography, Software Discovery, Dynamic-link Library Injection, Obfuscated Files or Information, Scheduled Transfer, Component Object Model Hijacking, Bidirectional Communication, Native API, Windows Command Shell, Deobfuscate/Decode Files or Information, Query Registry, PowerShell, Modify Registry, System Time Discovery, Embedded Payloads, Masquerade Task or Service
S0393 PowerStallion (Citation: ESET Turla PowerShell May 2019) Bidirectional Communication, Obfuscated Files or Information, PowerShell, Timestomp, Process Discovery
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Waterbug Jun 2019) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  2. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  3. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  4. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  5. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  6. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  7. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
  8. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  9. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  10. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
  11. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  12. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  13. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  14. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  15. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  16. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  17. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  18. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  19. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020.
  20. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  21. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
  22. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  23. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  24. Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.