National Cyber Security Centre
UK and US intelligence exposes Turla group attack
Turla revealed as exploiting Iranian hacking tools and techniques to attack dozens of countries.
Cyber actors Turla group acquired Iranian tools and infrastructure to conduct attacks on dozens of countries, security officials in the UK and USA have revealed.
Advisories published today (21 October) by the UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have shown that the group targeted victims and adopted techniques used by suspected Iran-based hacking groups.
Victims, the majority of whom were based in the Middle East, saw documents extracted from various sectors, including governments.
Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus’. In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups themselves.
The attacks against more than 35 countries would appear to the victims to be Iranian in origin, but the NCSC revealed that this was not the case.
Paul Chichester, the NCSC’s Director of Operations, said:
“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign.
“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.
“Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”
Interestingly, in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, and then was later accessed from infrastructure associated with Turla, a suspected Russia-based group, suggesting Turla effectively took control of victims previously compromised by a different actor.
Turla, which is also known as Waterbug or VENOMOUS BEAR, regularly collects information by targeting government, military, technology, energy and commercial organisations.
- The UK Government is fully committed to defending against cyber threats and set up the National Cyber Security Centre (NCSC) as part of GCHQ in 2016.
- The NCSC was created as part of the five-year National Cyber Security Strategy in 2016, supported through £1.9 billion transformative investment.
- The NCSC is the UK’s lead technical authority on cyber security and offers unrivalled real-time threat analysis, defence against national cyber attacks and tailored advice to victims when incidents do happen.
Background: Neuron and Nautilus usage by Turla
- The NCSC published two advisories on the use of Neuron and Nautilus tools by Turla in late 2017 and early 2018. These tools were observed in use alongside Snake on a number of victims.
- Since publication of those advisories, further analysis by the NCSC and the wider infosec community determined that Neuron and Nautilus tools were present on a range of victims, with a large cluster in the Middle East.
- Victims in this region included military establishments, government departments, scientific organisations and universities. Some of these victims, but not all, also had a Snake implant present.
- Investigation into these victims identified that while some implants had been deployed and administered from infrastructure associated with the Turla group, others had previously been connected to by Virtual Private Server (VPS) IP addresses associated in the open source community with Iranian Advanced Persistent Threat (APT) groups.
- Interestingly, in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, and then was later accessed from infrastructure associated with Turla.
- In order to initiate connections with the implants, Turla must have had access to relevant cryptographic key material, and likely had access to controller software in order to produce legitimate tasking.
- In other instances, Neuron was deployed by Turla to victims which they already had access to via their Snake toolkit, with all observed connections from Turla-associated infrastructure.
Latest News from
National Cyber Security Centre
Statement: Cyber incidents affecting political parties13/11/2019 14:15:00
An NCSC statement following the cyber incidents affecting political parties (12/11/19).
More universities strengthening their cyber security06/11/2019 09:15:00
The proportion of UK universities achieving Cyber Essentials certification has almost trebled in a year.
Minister's speech at the NCSC Annual Review launch24/10/2019 12:17:00
Paymaster General and Minister for the Cabinet Office The Rt Hon Oliver Dowden CBE MP yesterday launched the National Cyber Security Centre's third Annual Review.
The NCSC Annual Review 201924/10/2019 11:20:00
Developments and highlights from the last twelve months at the NCSC.
The NCSC defends nation against more than 600 cyber attacks24/10/2019 09:05:00
The 2019 Annual Review gives an insight into the breadth of work done by the National Cyber Security Centre
Advisory: Turla group exploits Iranian APT to expand coverage of victims22/10/2019 11:15:00
A joint report from the NCSC and NSA highlighting Turla activity.
Alert: Mass credential harvesting phishing campaign active in the UK18/10/2019 16:23:00
The NCSC is investigating an automated, ongoing, widespread credential-harvesting phishing campaign currently affecting the UK
New-look CyberFirst Girls Competition goes regional17/10/2019 09:15:00
The introduction of regional semi-finals give girls the opportunity to test their cyber skills against those of local rivals for the first time.