Title: Turla APT Exploits Iranian APT Tools

Date: 22 October 2019

TLP:WHITE

1. Executive Summary

On 21 October, the National Security Agency (NSA) and the United Kingdom’s National Cyber Security Centre (NCSC) published a joint update report stating their determination that several tools (Neuron, Nautilus) used by the Turla advanced persistent threat (APT) group are “very likely Iranian in origin.”¹ Turla is also known as Waterbug or Venomous Bear, and is associated with Russian actors. The authors of this advisory assessed that the Iranian actors behind the tools themselves were very likely unaware of or not complicit with this activity. 

According to the report, Turla focused its initial testing of the tools in the Middle East, where both Russia and Iran have interests. Victim groups reportedly included military establishments, government departments, scientific organizations, and universities, and IP addresses that Turla scanned for ASPX webshell spanned 35 countries.²   

2. Analysis

The advisory explains that the researchers found two groups of victims based on compromise; the first used Turla’s infrastructure. Initially, Turla used Neuron and Nautilus in conjunction with a rootkit named Snake, which they had earlier used to compromise victims. According to the previous NCSC advisories, Snake is similar to Neuron and Nautilus in that it “provides a platform to steal sensitive data, act as a gateway for internal network operations, and is used to conduct onward attacks against other organizations.”³

The second victim group was connected by infrastructure associated with Iranian APT groups: Turla scanned for victims already infected with Iranian backdoors that Turla could leverage with Neuron or Nautilus. The NCSC and NSA assessed that despite Turla’s knowledge of the Iranian APT tools (including cryptographic keys and controller software), they must have had more limited knowledge of where they had been deployed, forcing them to scan for victims.⁴ 

The NSA and NCSC indicate that Turla exfiltrated data on Iranian APT activity, such as directory information, command and control (C2) domains, and other keylogger output. This also gives Turla victim lists and infrastructure credentials, as well as code for building their own, independent versions of Iranian tools such as Neuron.⁵

The NCSC has been reporting on Turla’s use of Neuron and Nautilus since 2017, but private sector researchers have also published on aspects of this topic this year.   

• In June, Symantec identified an attack in which Turla/Waterbug used infrastructure associated with Iranian APT group OilRig (aka APT34 or Crambus). Symantec’s data showed that an attacker created and delivered a customized version of the Mimikatz hacking tool via known OilRig tools and infrastructure, including the Powruner tool and Poison Frog control panel. Symantec tied the Mimikatz variant to Turla based on several data points, including but not limited to its custom packing routine that is unique to that group, and which was also used as a packer in the Mimikatz version that dropped Turla’s version of the Neuron implant.⁶
• In April, Wired published an article about an unattributed group attacking OilRig and posting data, tools (including Poison Frog), intrusion points, server IPs, and personal information of alleged OilRig members, to a public, Telegram channel reportedly called Read My Lips or Lab Dookhtegan (meaning “sewn lips” in Farsi).⁷

3. Prevention and Mitigation

The NCSC provided a technical update on Turla’s Neuron malware in January 2018,⁸ notifying the public that the APT had updated the malware following an initial advisory on the malware three months earlier. The January report also provided Neuron-related endpoints, file information and YARA rules.⁹

Organizations monitoring for or maintaining threat profiles of Iran-associated APT groups should take care in attributing activity involving any of the hacked Iranian tools or infrastructure; be sure to evaluate artifacts and indicators for signs of modifications by Turla (the cited articles go into further detail). 

4. Indicators of Compromise

This week’s advisory did not provide new or additional IOCs other than the strings “!!!MAY BE SHELL!!! (check version)” and “!!!MAY BE SHELL!!! (100%).” Turla had scanned for ASPX shells with these strings and recorded the results in an output log file, which was recovered from a Snake victim.¹⁰ 

Endnotes

1.  https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-% 20COPY.PDF 
2. https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-% 20COPY.PDF 
3. https://www.ncsc.gov.uk/news/turla-group-malware 
4. https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-% 20COPY.PDF 
5. https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-% 20COPY.PDF 
6. https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments 
7. https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/
8. https://www.ncsc.gov/news/turla-group-malware
9. https://www.ncsc.gov.uk/static-assets/documents/Turla%20Neuron%20Malware%20Update.pdf

10.https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-% 20COPY.PDF