A new report from the United Kingdom's National Cyber Security Center (NCSC) shows that the Russia-backed cyber espionage group Turla has carried out more attacks than previously thought using infrastructure and malware hijacked from Iranian threat group APT34.
The NCSC recently analyzed data pertaining to Turla's use of three malware tools — Neuron, Nautilus, and an ASPX-based backdoor — in attacks targeted at UK organizations. The tools are designed for attackers to steal data and maintain persistence on Windows networks.
The NCSC has previously noted Turla's use of these tools in intelligence-gathering operations targeting organizations in the technology, military, energy, and government sectors. But it had not until now connected the tools to APT34 (aka OilRig, Crambus) - though Symantec did so in a report back in June.
In a joint advisory with the National Security Agency (NSA) published Monday, the NCSC said its analysis of the malware — based on data from multiple-sources — shows Neuron and Nautilus are"very likely Iranian in origin." The data shows that Turla not only hijacked APT34's tools but also its command and control infrastructure to deliver malware and additional payloads on compromised systems, the NCSC said.
Symantec in June reported that it had observed Waterbug (the security vendor's name for Turla) using APT34's malware and infrastructure in one targeted attack against an organization in the Middle East. The NCSC and NSA advisory, however, makes clear the Russian threat group used APT34's malware and infrastructure in attacks on multiple targets, especially ..
Support the originator by clicking the read the rest link below.
