NSA and NCSC Release Joint Advisory on Turla Group Activity

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian and also known as Snake, Uroburos, VENEMOUS BEAR, or Waterbug. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools. According to the Symantec Threat Intelligence blog, the Iranian APT group is APT 34, known as HELIX KITTEN or OilRig.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the resources listed below for more information. Additionally, CISA advises cybersecurity analysts to avoid possible misattribution by being vigilant when examining activity that appears to originate from the Iranian APT; it may be the Turla group in disguise.

• NSA Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
• UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
• January 2018 UK NCSC Report Turla Group Malware
• Symantec Threat Intelligence blog Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments