As Turla attacks evolve, do enterprise security teams need to defend differently?

News by Davey Winder

The Russian group hijacked the computer network operations infrastructure of Iranian threat actor APT 34

Turla, the highly-sophisticated and long established cyberespionage threat actor, shows no sign of slowing down. 

The 'Tracking Turla: new backdoor delivered via Armenian watering holes' report from ESET, reveals how the nation-state group, thought to be Russian, has been using two previously undocumented pieces of malware in attacks against government websites in Armenia. The targets in this campaign are thought to be government officials and politicians. 

This comes as no surprise at all, as another report published today, this time from Recorded Future, confirms that operations against research, diplomatic and military targets are the strategic focus of Turla. The ongoing focus, Recorded Future researchers say, is against targets within the North Atlantic Treaty Organisation (NATO) and Commonwealth of Independent States (CIS) nations. 

The Recorded Future report titled ‘Swallowing the snake's tail: tracking Turla infrastructure’ reveals how the group was able to successfully infiltrate the computer network operations infrastructure of Iranian threat actor APT 34. 

"This was clearly an operational shift for Turla," John TerBush, senior threat intelligence researcher at Recorded Future, told SC Media UK. "We surmise that this operation may have primarily been opportunistic in nature, although geopolitics in the Middle East may have been an impetus for the group to target the APT 34 operations in particular." 

TerBush says that he has not seen such a wholesale takeover of a large-scale operation of one state by another before. 

Under this operation, the Russians effectively took operational control of multiple components of another nation's offensive computer network operations. "This sort of hostile takeover of live operations, or even development environments, had simply not been publicly observed before," said TerBush. 

As part of the Armenian campaign, Turla employed a new backdoor developed using the Python language, noted the ESET report. This is another first for Turla, but not at all unexpected. Nor, for that matter, is it unexpected that "the final payload has changed," said ESET researcher Matthieu Faou, who confirms that this is "probably in order to evade detection." 

Turla has the reputation of developing its own proprietary tools and malware, while many other nation-state groups rely more and more on open source software. Not that Turla totally ignores the latter, but it mixes things up while evolving to adopt new attack methodologies with one eye always on obfuscation. 

"As the majority of the open-source tooling receives immediate infosec attention, multiple signatures are developed as a result," Vitali Kremez, head of SentinelLabs at SentinelOne, told SC Media UK. 

"Developing in-house tools is the preferred way to obtain and secure long-term access as the Turla group oftentimes strives to achieve." Generally, it is always easier to defend against known tooling such as open-source as they are readily available with the source code as needed, said Kremez. 

"However, some of the in-house private tooling can also be reverse engineered to an extent that would allow such an approach to work as well; however, it takes more time and effort to do so," he added.

Etay Maor, CSO at IntSights, agrees that "the most obvious advantage when facing a publicly available malware is that you have the opportunity to analyse it before it hits your network." With proprietary, custom-developed, malware, you are facing the unknown as a defender. 

"This means detection of these types of attacks rely on heuristics. The flip side of this is the issue of attribution: when using custom malware, depending on the target, code, capabilities etc researchers may be able to attribute it to specific groups," he explained.

Focusing on the differences between open source and custom attack tools invariably leads to making assumptions about their capabilities and attack flows, essentially signatures, warned Igor Baikalov, chief scientist at Securonix.

Baikalov suggested that there is no reason to think a signature-based approach will fare any better in detecting polymorphous attack scenarios than it does malware generally. "That said, signature and rule-based controls are still a vital part of the defence-in-depth strategy; they just cannot be the only part," he added.

In-depth defence is key to enterprise defender success, say security researchers. "A mature organisation will not behave any differently," said Ed Williams, director (EMEA) of SpiderLabs at Trustwave. 

"While custom code can ‘bypass’ some mechanisms, appropriate defence in depth with mature protect, detect and respond processes will allow businesses to continue to operate as usual. The key is to ensure that the basics are covered across the entire organisation,” he said.

"Segmentation of networks means even if attackers get in, regardless of how, the damage will be contained and the breach detected earlier," Daniel Goldberg, senior security researcher at Guardicore Labs told SC Media UK. 

"High-end groups like Turla can bring to the table never-seen-before capabilities, but these will rarely include techniques that are not mitigated by the above basics," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews