An advanced persistent threat (APT) group called Turla that targets the energy sector among others is the focus of a joint advisory released by the National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC).
The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory found Turla has compromised — and is currently leveraging — an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.
The Turla group, also known as Waterbug or VENOMOUS BEAR, is widely reported to be associated with Russian actors, according to the advisory. Turla uses a range of tools and techniques to target government, military, technology, energy and commercial organizations for the purposes of intelligence collection.
Previous advisories from NCSC detailed Turla’s use of Neuron and Nautilus implants and an ASPX-based backdoor alongside the Snake rootkit.
NCSC, NSA and partner-shared analysis of additional victims and infrastructure determined the Neuron and Nautilus tools were very likely Iranian in origin. Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their implants.
After acquiring the tools – and the data needed to use them operationally – Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims, according to the advisory. Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold. The focus of this activity from Turla was largely in the Middle East, where the targeting interests of both APTs overlap.
The timeline of incidents, and the behavior of Turla in actively scanning for Iranian backdoors, indicates while Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements. The behavior of Turla in scanning for backdoor shells indicates although they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed, according to the advisory.
While attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of incident response on a victim network – the weight of evidence demonstrates Turla had access to Iranian tools and the ability to identify and exploit them to further Turla’s own aims, the advisory said.