A Russian attack group known as Turla that has been very active and has an extensive arsenal of tools at its disposal is suspected of using tools and attack infrastructure developed and operated by an Iranian APT group to target victim organizations in a number of industries, including government, military, and energy, mainly in the Middle East.
The Turla group has been operating for at least 15 years in various capacities and is known to go after high-level targets, especially in the government and diplomatic sectors, using a deep catalog of custom intrusion tools, backdoors, and exfiltration mechanisms. Researchers have associated Turla with the Russian government and it is one of many such active threat groups tied to Moscow. A number of Turla’s operations have been discovered and exposed over the years, including the Epic Turla campaign in 2014 that used at least two Windows zero days in addition to watering hole and spear phishing attacks against political targets.
While Turla has its own extensive infrastructure, the group has compromised some of the command-and-control infrastructure operated by the OilRig group, which is attributed to the Iranian government. OilRig has targeted many of the same types of organizations as Turla, and new research and reporting from both the National Security Agency and the UK’s National Cyber Security Centre concludes that Turla used its access to the OilRig infrastructure to obtain the Neuron and Nautilus malicious implants and then deploy them against their own targets. Both Neuron and Nautilus are Windows implants and have been seen in several Turla operations previously, but the NSA and NCSC research attributes those two tools to the Iranian group. In some of the recent operations analyzed by the intelligence agencies, Turla deployed one or both of the Iranian implants on targets that the group had compromised previously with its own Snake rootkit.
“After acquiring the tools – and the data needed to use them operationally – Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims. Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold. The focus of this activity from Turla was largely in the Middle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap,” the NSA/NCSC analysis says.
“The timeline of incidents, and the behavior of Turla in actively scanning for Iranian backdoors, indicates that while Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements. The behavior of Turla in scanning for backdoor shells indicates that although they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed.”
"“The Turla group deployed their own implants against the operational infrastructure used by an Iranian APT actor."
Although high-level attack groups such as Turla and OilRig have in-house teams that developer their own custom malware, implants, and backdoors, it’s not unusual for more than one attack group to use a particular tool. Sometimes this is the result of separate teams within an organization or country cooperating, or it can happen when researchers expose tools publicly. But one attack group deliberately compromising the infrastructure of another group and then stealing and using their tools is less common. The target victims for both Turla and OilRig have a decent amount of overlap in general, with both teams going after government, technology, and other targets in the Middle East. In some of the instances investigated by the NSA and NCSC, Turla was able to take over control of implants that likely were first deployed by the Iranian group.
“In order to initiate connections with the implants, Turla must have had access to relevant cryptographic keys, and likely had access to controller software to produce legitimate tasking,” the analysis says.
In addition to grabbing the Neuron and Nautilus backdoors, the Turla attackers spread their own malware inside the OilRig operational infrastructure to maintain access and allow them to steal information.
“The Turla group deployed their own implants against the operational infrastructure used by an Iranian APT actor and used this to further their own accesses into the Iranian APT’s global infrastructure. Exfiltration of data from Iranian APT infrastructure to Turla infrastructure took place,” the analysis says.
“Data exfiltrated from the Iranian infrastructure by Turla included directory listings and files, along with keylogger output containing operational activity from the Iranian actors, including connections to Iranian C2 domains. This access gave Turla unprecedented insight into the tactics, techniques and procedures (TTPs) of the Iranian APT, including lists of active victims and credentials for accessing their infrastructure, along with the code needed to build versions of tools such as Neuron for use entirely independently of Iranian C2 infrastructure.”