2 men discussing

MITRE Engenuity ATT&CK Evaluations Announces Results of Enterprise Cybersecurity Solutions Vs. Turla Emulations

Through the lens of the MITRE ATT&CK knowledge base, cybersecurity solutions were evaluated against adversary behavior informed by Turla (G0010), a known Russia-based threat group.

McLean, Va., and Bedford, Mass., September 20, 2023MITRE Engenuity ATT&CK® Evaluations (Evals), a program of MITRE Engenuity™, MITRE’s tech foundation for public good, released its latest round of independent ATT&CK Evaluations for 30 enterprise cybersecurity solutions. Through the lens of the MITRE ATT&CK knowledge base, this round focused on adversary behavior informed by Turla (G0010), a known Russia-based threat group.

“Turla is one of the most sophisticated threat actors, and their tradecraft is platform diverse, dynamic in stealth, and layered in persistence,” said Amy Robertson, MITRE cyber threat intelligence lead, ATT&CK Evals. “This round provides an emulation that focused on kernel and service-level operations that often run with the same permissions as detection and protection products. Our goal is to empower end users and purchasers with unbiased insights into the product capabilities that detect these advanced adversary behaviors, while also collaborating with the participating vendors to evolve their products.”

Active since at least the early 2000s, Turla has infected institutions in more than 50 countries. The group has targeted government agencies, diplomatic missions, military groups, research and education facilities, critical infrastructure sectors, and media organizations. Turla leverages novel techniques and custom tooling, including the complex “Snake” malware, to elude defenses and persist on target networks. The group is also known for its adaptability and willingness to evolve behaviors and tools to achieve campaign objectives.

The ATT&CK Evals team chose Turla based on its innovative stealth, the relevancy of its activity to various sectors, and the breadth of open-source reporting on its tradecraft. The emulation represents how Turla achieves post-exploitation persistence with a minimal footprint through in-memory or kernel implants, evades detection by defensive tools, and exfiltrates sensitive information from Linux and Windows infrastructure.  

These open and fair evaluations, which were paid for by the vendors, include solutions from AhnLab, Bitdefender, BlackBerry, Broadcom, Check Point, CrowdStrike, Cybereason, Cynet Systems, Deep Instinct, Elastic, ESET, Fortinet, HarfangLab, IBM Security, Malwarebytes, Microsoft, Palo Alto Networks, Qualys, Rapid7, Secureworks, SentinelOne, SOMMA, Sophos, TEHTRIS, Trellix, Trend Micro, Uptycs, VMware, WatchGuard, and WithSecure.

The evaluations are part of MITRE Engenuity’s suite of programs to help government and industry combat cybersecurity attacks through threat-informed defense practices. The evaluations do not rank vendors and their solutions; however, organizations can use the evaluations to determine which vendors and solutions may best address their own cybersecurity gaps and fit their particular business needs. For full results of the evaluations, visit https://attackevals.mitre-engenuity.org/enterprise/turla/.


MITRE Engenuity, a subsidiary of MITRE, is a tech foundation for the public good. MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.

MITRE Engenuity brings MITRE’s deep technical know-how and systems thinking to the private sector to solve complex challenges that government alone cannot solve. MITRE Engenuity catalyzes the collective R&D strength of the broader U.S. federal government, academia, and private sector to tackle national and global challenges, such as protecting critical infrastructure, creating a resilient semiconductor ecosystem, building a genomics center for public good, accelerating use case innovation in 5G, and democratizing threat-informed cyber defense. www.mitre-engenuity.org


ATT&CK® Evaluations is built on the backbone of MITRE’s objective insight and conflict-free perspective. Cybersecurity vendors turn to the Evals program to improve their offerings and to provide defenders with insights into their product’s capabilities and performance. Evals enables defenders to make better informed decisions on how to leverage the products that secure their networks. The program follows a rigorous, transparent methodology, using a collaborative, threat-informed, purple-teaming approach that brings together vendors and MITRE experts to evaluate solutions within the context of ATT&CK. In line with MITRE Engenuity’s commitment to serve the public good, Evals results and threat emulation plans are freely accessible. https://attackevals.mitre-engenuity.org/

Media Contact: Lisa Fasold, media@mitre.org