Unraveling the Russian Snake Turla

uh the targeting just like I mentioned that top batch is kind of like their tier one that they're going for to get the Intel but then they're also in Telco Pharma unfortunately education a lot of energy and technology so they're hopping in there either to do collection or to use that as a second uh layer for their activities so now we come back to like well what does that matter how do I detect them right so we're going to talk a little bit about the ttps and so this is where I had to do some analysis to look at like okay there's a malware report but what's the actual underlying behavior of what they're doing and then then I looked at

it I was like well how rare is it that it's just them doing it I only came up with really two ttps that were kind of unique to them so we'll start with initial access um that was a genius stroke when they took over Iran so they took over somebody else's initial access and just said that's mine and started operating uh water holding spear fishing everybody does that use of valid accounts that's like that's all you see now so you don't really know how that got in they just came in with a valid account you know it's kind of like a dirty secret for incident responders like you never really know how they got in it just they logged in with something

and it they got that access either they bought it you know from somebody like a um a uh initial access provider or it was from previous compromise a long time ago then they're also backdoor and Android Android apks um to get on uh Target cell phones so that's actually technically not that hard um compared to maybe Apple was a little bit harder but Android as long as you trust who you're installing you can load it in there there's no vetting of those apps um execution like I said nothing crazy here I mean were docs with decoys um you know getting into memory via Powershell everybody's doing this uh process injection very similar on the persistent side though they do

have some pretty I mean they're operating their back doors or javascript.net and RPC so they have this whole breadth of tooling that they can use not just one and so that matters because they often deploy multiple persistent mechanisms in a network so if one gets taken out they immediately have another one and then they can decide to either go dormant and hide or try to do something else to piss off the the target uh prevask um nothing here that's out of the ordinary except maybe the targeting of VMware drivers that was how they got their their root kit so if you've heard the snake or uberos rootkit that was how they got that root kit installed because

the VMware drivers were kernel level um but yeah I'm interpreter reflective dll injection all standard stuff here uh defense Invasion they've definitely upped their game we've seen how they operated in the 90s and early 2000s was laughable like they didn't clear out the strings and they're there when they compiled their codes everything was there uh and that's how people were able to kind of build a history about them but now they're pretty good they're bypassing all the security agents um bypassing Windows controls much like our pen testers right seems like they always get in uh credential access all standard stuff don't even need to cover that they do have some custom tooling on the lateral movement side so that's

something to pay attention to it's not strictly living off the land and just using native Windows commands not command and control now we get to the other item that that's important with them is that they use satellite networks for exfiltration so they're really smart at how they did this they picked satellite providers that were in Africa because they couldn't be messed with by Interpol or NATO or any of that so um I know when I had to deal with a lot of Chinese intrusions they knew they if they moved something to Europe that was protected by privacy it was harder for us to respond well if they start to throw stuff to um Africa satellite providers and it

shoots up and it's in the air who's going to stop it once it goes up into space right um so then they just can sit back in St Petersburg and capture that signal with all their data so they're not the only one that use satellite networks I think there's about three other actors that do this but it's definitely something that's not common um and then another thing that they do really well is there's a lot of methods that they use to hide in plain sight but they do really good with Gmail so it's really hard to detect anything with Gmail I mean it's all encrypted what are you going to look for I mean they're accessing Gmail well your whole

all your employees access Gmail uh unless you're working at a government site where they block that stuff which is pretty rare uh and then on the x-fill side you know a lot of that hiding in plain sight using OneDrive using box and going to victim infrastructure so this kind of Paints the picture that they're not using anything Cutting Edge here and really you've got two major things that they've done that stand out satellite usage and then hijacking other threat actors infrastructure so now we're going to dive into kind of the and all this is linked so you can download this later and and benefit from the research that I did but we can walk through like their history of all their

malware and it started off with Loki 2 and that's they initially thought it was something called cedor which was talked about in Frack that's how old this is frack was like a Ease on from a long time ago I think it's still up and running but it doesn't publish as often as it used to so um you're talking about a Unix back door they were compromising like Solaris and Iris that's this is old school stuff um and then they started their penguin back door which is the Linux Port so that runs on Ubuntu sent OS and uh that's it's gone on forever because it works nobody's detecting it uh one of the more genius things about that back

door is it uses Port knocking so if you think of like interpreter reverse shell there's like a port 444 and then it connects right well with the port knocking they send a magic bite in the packet on any port so 389 uh 445 it could be any port it could be UDP uh but it's got a magic bite in there and that unlocks the communication and so it's it's really just awesome how they do this they'll deploy it everywhere and it'll just stay stealthy and just sit there it doesn't talk out it doesn't do anything nothing's hard-coded and then they'll wake it up with a magic bite and then it'll talk to infrastructure that they've set it up just for that that

that activity that campaign so they can continuously update it with the magic bite and it'll talk to different infrastructures so if you've blocked something in in uh digital ocean they'll just move it with another magic bite to another place so it's a very very cool way of doing things and on the system it just looks like cron so it's appearing to be like KRON on your Unix system uh so they've continued to do tons of development so carbon and cobra that's their their uh back door and it leverages um it's similar to comrat that it leverages an encrypted VFS so that's an entirely hidden file system on your on your computer so it looks like a file

and then there's an encryption key in the registry and that it just uses access to the registry to decrypt it and all their crops there hidden from you you won't even see it um so comrat uh we'll go over that more um that's something that's uh probably their most famous tool so that's comrade is com object hijacking so you'll see that in the registry because it's got com objects in the registry um snake we talked about a little bit that's the one that was exploiting VMware driver uh Skipper was another one of their first stage implants so there was a lot of visibility on this one and they were delivering it with Adobe Flash so at the

time so now that flash is kind of out they've moved on to other things uh need to go through everything here but um the uh iced coffee and Kopi Luwak were interesting maybe that's them yeah they sent the magic bite just right now yeah so that iced coffee and I don't know who came up with these names but they're coffee themed was their first JavaScript back door so that was interesting because they keep evolving capabilities and they have a whole Suite of capabilities to come at you with uh gazer was definitely reported on a lot that's their mode for um moving files about and and C2 and that kind of stuff and then Kopi Luwak

um was the evolution of iced coffee so same following the coffee theme um so now um I'll focus a little bit on their pivot to Powershell so obviously everybody's been doing attackers for the last what five six years maybe longer have been doing a ton of stuff in Powershell and so they were actually using commodity off-the-shelf Powershell stuff and then they decided to write their own Powershell back door which is power Stallion and they I believe created that with power supply and um that's been really effective for them uh poison frog that was their nice little panel that they used to hijack the Iranian infrastructure so they installed that they took over the infrastructure and installed their own

panel so they could admin all of the Iranian infrastructure Pi flash yet again a new capability now they have python so look they've got C sharp they've got um all this old school Unix stuff they're doing powershell.net RPC now they've added python to their repertoire and then lastly uh tiny turla which was I believe reported by Cisco and this is really cool and this is something that I looked at because it was more recent and what they did here was take advantage of hiding in plain sight so if you're familiar with Windows usually there's traditionally like a w32 something and a w64 something like there's two versions of the same file so they found that there was only one

version of w32 time and so they pretended to be w64 time and like looks legitimate right and so they were able to hide pretty hide for a long time with that and then it's tiny so it's only 13 kilobytes hence the name tiny turtle uh like I said good Cisco uh Talus report on that if you guys want to look into that so now um a little bit about the lineage so I wanted to kind of show this how you can see and like I apologize but you can see how this is the original agent VCC that we talked about and then it torqued off and they created a new carbon back door and then missed it all

up into comrade at a nice timeline what a lot of vegetables it's showing that you've got a really dedicated staff of developers and and you know security people focused on building these capabilities it's not just you know fly by the night operation um and because they've in a lot of cases the reason they're able to to find this out is because they link a lot of static binaries in their um their tools so you can go see at the time what they were using and that'll because that package was only available at a certain time that allows you to apply the time to it because like say open SSL like they were using a static

library of openssl well that was only deployed for like 18 months and then a different one came out so that's how they added the time element here with the malware okay so a little bit about their infrastructure so they're able to pretty much do whatever they want um on the the fishing I was going to mention this to you because this is one of their newer newer tactics uh what they were doing was sending out Word documents with an embedded PNG image and they weren't doing any kind of exploit but it was set up to just make a remote call so in a Word document you can it's a compound structure you can embed all kinds of things into the

document so they embedded an image that was actually hosted on infrastructure that they can control and all they did was just watch to see who opened it so strictly reconnaissance so that's how quiet they try to be they don't try to smash and grab they're really really stealthy um and they were targeting a lot of um NATO things around NATO and um Ukraine stuff and trying to get people to click on it and then see okay now we know where they're at and then go after them so that's something that was more recent um they're using web cells spearfishing watering holes you can see the the tiny turla reference there and then really good at using all kinds of just shared

platforms it's like one of the best ways to hide in plain sight Dropbox Instagram um hiding things and Instagram comments like just little dots like they don't look like anything that's how they can communicate over Instagram um and then the C2 as well um and so the the thing here is there's a mix of things right so there's things that are generally kind of viewed as non-sophisticated like Dropbox and just using a shared service but they also have very complex back doors so they can deploy a range of things which is kind of how you see apts right there is basic when they need to be basic because they know that the target can't stop them and

then they can level up their capabilities and use more advanced things the more sophisticated their target is so now um I wanted to go over the Linux stuff because this is likely what um unless you're in the policy diplomacy space um what if you're gonna see them this is probably what you'll see is they'll go after your Linux servers uh there was a really really good report by Swiss defense company called ruag that really detailed this this um penguin implant and like I said that came out the report was until like 2014 but it was actually observed in 2011. so look at the lag time there they were that Swiss comp Swiss defense contractor didn't really talk or detect it until

three four years later uh it doesn't require any root perms uh they've kept it clean by stripping out all the symbols it's still pretty large though it does have requirements so I was mentioning the open SSL before it relies on a lot of Open Source libraries they can track it because they all use Blowfish encryption with the same um initialization Vector key so the same key used on all of these um and then the same thing I was talking about before the magic packet that's that's exactly how it is right there so um on TCP it's a specific act number and then UDP it's a it's a location so the second byte of the body that's how they

do it see after yeah and then one time they did use a hard-coded port and that allowed a lot of reporting so they used 1773 for a while so people were able to hunt them and see all their satellite activity so that was definitely a big win there when they did I guess you could call it a mistake that they hard-coded it and then in terms of behaviors so on the Linux side um here's all everything mapped to miter so you kind of know what to look for so to defend against this you won't want to just write like one detection but you're going to want to write a whole Bevy of detections and then probably have like

your red team emulate it and see how they get around your detections um but like Port knocking remote file copy all this crypto stuff file modifications you're going to need a layered defense you won't I I would be surprised if you could do it only with EDR you're going to need Network as well so you're going to need the the whole Suite um and then a little bit more about some of the behaviors um they were able to do like system profiling and make it look like just Google analytics so like all that advertising crap that you just ignore that Google is doing um that's what they pretended to look like so you wouldn't really notice them

uh and then there are file transfers were stored in in under root in the session key and a HS performance data so like I said that's pretty innocuous like that wouldn't jump out to me is like this is a an evil file oh and then they X filled through posts so that's something that you could really detect on so normal normal traffic is going to be more slanted towards gets uh probably like 80 percent gets and maybe 20 posts or even less than that so when you see a lot of posts uh it's good to investigate that and see what's exactly happening there because oftentimes that can be a web show question

yeah yep that's it yep yeah the question was um beef uh the browser exploitation framework was an open source tool to um basically run and run uh with JavaScript so if you've got JavaScript enabled on your browser it'll run that and start to profile your system for you and uh pull back like your IP your browser version your OS version all that kind of stuff so yeah they definitely take advantage of a lot of Open Source tooling and then eventually what they'll do is then get get comfortable with it and write their own version of that open source tool but yeah thank you for that question okay so what are they up to now so uh

like I said the conventional thinking is that they've kind of um stopped their larger effort with all of Europe and all of Central Asia and kind of pulled back just to focus on Ukraine a little bit because I guess we all see how that war is going uh it's not necessarily A not a win for them by any means um so Google Tags been tracking a lot of their activity because they see a lot of it via their email platforms and uh that was the um they were targeting um some stuff in Germany some stuff in NATO um and using that a remote image docx that I told you guys about and uh using a lot of like it's

opportunistic right Ukrainian War theme so like here's an update on the war and you know somebody's gonna who's not gonna open that right um and then this is where the at more even recent reporting um on how they created this Android app so they pretended to be a Ukrainian like anti-russian app so it was an app to dos the Russians but it was really that's what it looked like but then it was actually the Russians collecting information on the ukrainians that were downloading it so it was pretty uh pretty solid uh tactic there uh and all it really did was send like one ping and so it wasn't actually dosing anything but it was revealing information about

the Ukrainian forces and Ukrainian people who were installing the app so uh and that was my Sequoia you can see there so Sequoia and Google uh tag have been doing a lot of reporting this year on turla uh so that's kind of what's what they've been up to lately and one one thing I wanted to share with you guys is a um a way to kind of rank them um so it can help sometimes to put things in buckets and this is a model that I came up came up with about five years ago or six years ago when I was at crowdstrike and specifically it was because I got frustrated with um people saying well they were so AB

they were so sophisticated nobody could have stopped them well you can't really say anything to that because it's just like a it's a claim that you can't disprove because you weren't there you weren't the responder you don't know what happened maybe they were that good but a lot of times when you see the report you're like well that's not that crazy like we could have stopped that and so this is a method to start to score how they operate to say okay are they really really that good and so from an earlier presentation I mapped out some other threat actors so what you'll see there is equation group on the top right that's I don't even need to say who that is and

then on the bottom left is uh Anonymous and then you have carbonack who is a very successful ecram operator for a long time uh and then that image there I believe is uh silent Kalima nor Lazarus and then um the turtle image there is where I've rated them so in terms of attack Precision they're pretty pretty good on the lower side is just like spray and pray cred stuffing just opportunistic and then the higher side is very very precise they're not wasting any extra keystrokes uh cross-platform capability they're on obviously windows and Linux but also Mac so they have a Mac uh Mac Tools and they also were on Android um I couldn't score them higher because

I just don't have the information to say that they were embedded Computing or supply chain compromise they probably have but I just don't have the information so I can't change my rating there there was actually some reporting by Kaspersky that um thought that they were behind solarwinds but there's disagreement on that so it's hard to say some people said it was I believe Cozy Bear and then other people said it was was uh turla I don't think it was Turlock honestly um but I think it's just something that's Up For Debate uh targeting very strong so they're going after hard targets anybody I couldn't give them anything but a 10 because they compromised the classified

Network that's air gapped so good for them bad for us uh opsec I wanted to give them a stronger score like 10 but I couldn't because they've actually had a they'll get on in like similar to some of the Chinese operators do personal business on adversary infrastructure and then they've lost a lot of Notes too like uh making fun of the CIA and like calling out things in their in their tooling uh so mixed results I mean they're overall really good because they're so there's they're there for a long time but they've also had some pretty bad opsec breaks a resilience is really strong because they have multiple implants and something that they did this is actually

uh documented uh a lot of times when they're discovered they'll just go silent and then like Mandy and our Crosstrack comes in and they're not doing anything and then as soon as they go away then they'll spin up again well what they did this in this one incident is they actually started dropping a bunch of Chinese malware so they knew that if they dropped that then the responders would come in and see that and think oh this is China and take the investigation a different route so uh kudos to them again and then obviously their stealth I mean uh one of the longest running compromises you're talking about five to ten years in many cases where they can stay on a network

with just the same tooling not even having to change it so overall that's why I have them ranked uh it's something that um I'll link to so you guys can see the actors model kind of scores so you can have an idea of like what you're dealing with it helps kind of understand the more you understand about your adversary the easier it is to start to try to plan to defend against them uh and I think with that I will uh wrap up I think I'm right at 45 right okay so any uh happy to answer questions

so the actors Paradigm measures the um the sophistication so the X part of that graph and then Effectiveness is going to be based on all their their campaigns so where you've seen them uh be successful so like the the one that was right by them the the Axiom Aurora Panda like they got into Google with that zero day so they're very very skilled so that's kind of where I have them in terms of Effectiveness they're a little bit ahead on sophistication because of all they've been going on for so long and they're just sheer amount of development that they do for all their tooling uh but yeah that's basically it's that X bar so more sophisticated

further are you are you to the right and then the more effective you are because you can be really effective and like especially a lot of these ransomware operators are just killing it they're making so much money but they're not sophisticated so that's how you kind of got to look at it so um the farther you are to the top on the right the more you need to be worried about them yes back

um I don't yeah I don't have any firm information to say that either way um I I don't think anybody's come out specifically and said I mean I I think everybody believes it's Russia but I don't know exactly which unit within Russia um probably not them because like I said their classic Espionage so they're like I said they they're track record is they don't have a lot of indictments against them they're not flashy they like to stay below the radar versus some of the other ones like black energy sand worm they're being real aggressive and so they're different from turla they're going out to like uh disrupt and cause you know instability with people versus

these guys are just trying to collect old school espionage

yeah no definitely I I think it's just still unknown at this point yes uh well I mean they've got Government funding so they're part of the FSB so they've got uh also if you look at it um Putin was a KGB guy so uh he's gonna fund the FSB the most um recently um if you've been following the Ukrainian news Putin is totally at odds with the head of the svr which is like the CIA he actually if you saw the news conference like totally humiliated him in front of everybody on global television so it just seems like the F FSB right now has the the spotlight like it's the equivalent of like your CSO has his

favorite team and gives them all the budget like whatever team that is and then uh it seems like that's funding isn't a problem and then there's also um some more recent reporting that like it's a partnership so there's actual like private companies uh there's two that were mentioned one was called atlas of the FSB and then the other one was called Center for information so there's these I don't know if you'd call I can't say that they're like front companies but it's kind of like real top-notch private sector guys that are at like out of the military but they are operating for the FSB cool any other questions all right well thank you so much for

your attention and thanks for coming out this early in the morning thank you