Advisory: Turla Group Exploits Iranian APT to Expand Coverage of Victims (Oct 21, 2019)
The Russia-based Turla group has been reported to have scanned victims for Iranian APT backdoors with the intention to use them to gain a further foothold into the target environment. The U.K. National Cyber Security Centre (NCSC) has discerned that Neuron and Nautilus tools were being exploited by The Turla group but that their scanning reveals a lack of insight regarding where the backdoors have been deployed already. An overlap in infrastructure revealed that in some cases, an Iranian IP address had been used to first deploy the implant, whilst Turla associated infrastructure access the same implant later. The Turla group appears to exfiltrate directory listings and keylogger output which included operational activity from Iranian actors.
Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. In this case, there are lessons for security researchers regarding attribution. It would have been difficult to distinguish where the activity was truly originating from without paying close attention.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.