WIREDGOV

Turla revealed as exploiting Iranian hacking tools and techniques to attack dozens of countries.

Cyber actors Turla group acquired Iranian tools and infrastructure to conduct attacks on dozens of countries, security officials in the UK and USA have revealed.

Advisories published today (21 October) by the UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have shown that the group targeted victims and adopted techniques used by suspected Iran-based hacking groups.

Victims, the majority of whom were based in the Middle East, saw documents extracted from various sectors, including governments.

Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus’. In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups themselves.

The attacks against more than 35 countries would appear to the victims to be Iranian in origin, but the NCSC revealed that this was not the case.

Paul Chichester, the NCSC’s Director of Operations, said:

“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.

“Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”

Interestingly, in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, and then was later accessed from infrastructure associated with Turla, a suspected Russia-based group, suggesting Turla effectively took control of victims previously compromised by a different actor. 

Turla, which is also known as Waterbug or VENOMOUS BEAR, regularly collects information by targeting government, military, technology, energy and commercial organisations.

You can read the full assessment here.

Further information

• The UK Government is fully committed to defending against cyber threats and set up the National Cyber Security Centre (NCSC) as part of GCHQ in 2016.
• The NCSC was created as part of the five-year National Cyber Security Strategy in 2016, supported through £1.9 billion transformative investment.
• The NCSC is the UK’s lead technical authority on cyber security and offers unrivalled real-time threat analysis, defence against national cyber attacks and tailored advice to victims when incidents do happen.

Background: Neuron and Nautilus usage by Turla

• The NCSC published two advisories on the use of Neuron and Nautilus tools by Turla in late 2017 and early 2018. These tools were observed in use alongside Snake on a number of victims.
• Since publication of those advisories, further analysis by the NCSC and the wider infosec community determined that Neuron and Nautilus tools were present on a range of victims, with a large cluster in the Middle East.
• Victims in this region included military establishments, government departments, scientific organisations and universities. Some of these victims, but not all, also had a Snake implant present.

Victim Overlap

• Investigation into these victims identified that while some implants had been deployed and administered from infrastructure associated with the Turla group, others had previously been connected to by Virtual Private Server (VPS) IP addresses associated in the open source community with Iranian Advanced Persistent Threat (APT) groups.  
• Interestingly, in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, and then was later accessed from infrastructure associated with Turla.  
• In order to initiate connections with the implants, Turla must have had access to relevant cryptographic key material, and likely had access to controller software in order to produce legitimate tasking.  
• In other instances, Neuron was deployed by Turla to victims which they already had access to via their Snake toolkit, with all observed connections from Turla-associated infrastructure.