National Cyber Security Centre
UK and US intelligence exposes Turla group attack
Turla revealed as exploiting Iranian hacking tools and techniques to attack dozens of countries.
Cyber actors Turla group acquired Iranian tools and infrastructure to conduct attacks on dozens of countries, security officials in the UK and USA have revealed.
Advisories published today (21 October) by the UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have shown that the group targeted victims and adopted techniques used by suspected Iran-based hacking groups.
Victims, the majority of whom were based in the Middle East, saw documents extracted from various sectors, including governments.
Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus’. In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups themselves.
The attacks against more than 35 countries would appear to the victims to be Iranian in origin, but the NCSC revealed that this was not the case.
Paul Chichester, the NCSC’s Director of Operations, said:
“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign.
“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.
“Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”
Interestingly, in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, and then was later accessed from infrastructure associated with Turla, a suspected Russia-based group, suggesting Turla effectively took control of victims previously compromised by a different actor.
Turla, which is also known as Waterbug or VENOMOUS BEAR, regularly collects information by targeting government, military, technology, energy and commercial organisations.
- The UK Government is fully committed to defending against cyber threats and set up the National Cyber Security Centre (NCSC) as part of GCHQ in 2016.
- The NCSC was created as part of the five-year National Cyber Security Strategy in 2016, supported through £1.9 billion transformative investment.
- The NCSC is the UK’s lead technical authority on cyber security and offers unrivalled real-time threat analysis, defence against national cyber attacks and tailored advice to victims when incidents do happen.
Background: Neuron and Nautilus usage by Turla
- The NCSC published two advisories on the use of Neuron and Nautilus tools by Turla in late 2017 and early 2018. These tools were observed in use alongside Snake on a number of victims.
- Since publication of those advisories, further analysis by the NCSC and the wider infosec community determined that Neuron and Nautilus tools were present on a range of victims, with a large cluster in the Middle East.
- Victims in this region included military establishments, government departments, scientific organisations and universities. Some of these victims, but not all, also had a Snake implant present.
- Investigation into these victims identified that while some implants had been deployed and administered from infrastructure associated with the Turla group, others had previously been connected to by Virtual Private Server (VPS) IP addresses associated in the open source community with Iranian Advanced Persistent Threat (APT) groups.
- Interestingly, in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, and then was later accessed from infrastructure associated with Turla.
- In order to initiate connections with the implants, Turla must have had access to relevant cryptographic key material, and likely had access to controller software in order to produce legitimate tasking.
- In other instances, Neuron was deployed by Turla to victims which they already had access to via their Snake toolkit, with all observed connections from Turla-associated infrastructure.
Latest News from
National Cyber Security Centre
NCSC nurtures cyber stars of the future22/01/2020 11:15:00
CyberFirst Trailblazers and Adventurers event saw schoolchildren from across London at the NCSC.
Alert: Actors exploiting Citrix products vulnerability15/01/2020 14:15:00
An NCSC alert detailing the investigation into the exploitation of a critical vulnerability in Citrix products.
Cyber security world first as unique guide is launched10/01/2020 09:15:00
The Cyber Security Body of Knowledge (CyBOK) has been launched at London's Science Museum.
Schoolgirl codebreakers enter national contest in record numbers09/01/2020 12:05:00
Days to go until the CyberFirst Girls Competition opens with registration at a new high.
The NCSC reaches out on Small Business Saturday09/12/2019 12:15:00
Bite-sized advice has been issued by the NCSC for small businesses on Small Business Saturday.
UK and US investigations into harmful international cyber campaigns06/12/2019 15:05:00
NCSC re-issues advice on how to reduce your risk of becoming a victim of malware attacks
CyberFirst Girls Competition finalists meet world leaders04/12/2019 13:20:00
Senior NATO officials meet one of the top teams at No 10 reception.
CyberFirst Girls Competition registration open02/12/2019 15:15:15
Registration has opened for the CyberFirst Girls Competition 2020.