Now that we’ve had some time to reflect, let’s break down the @NCSC & @NSAGov Turla advisory #thread ncsc.gov.uk/news/turla-gro…
1st point is that we (private sector threat intel researchers) mistook the provenance of Neuron and Nautilus. NCSC’s previous advisory denounced the use of both tools alongside Turla’s staple rootkit and we assumed new tools from the Turla devs but it seems they’d been stolen.
Keep in mind that the advisory is hinting at some dev access, some infrastructure access, but perhaps not complete access to Iran’s full operational stack. Turla first deploys the tool to their rootkit victims for testing and further functionality.
We enter the realm of fourth-party collection with a scenario @craiu and I described as ‘victim stealing’, where attacker A’s vulnerable backdoor design allows attacker B to identify and usurp victims, piggybacking on exfil or disabling A’s toolkit to replace it with their own.
This dynamic is entailed by the need for scanning to identify targets already infected by the Iranians
For those following along at home, this is precisely why mature threat actors emphasize the importance of NOBUS backdoor design (‘Nobody But Us’)— I.e. my backdoor shouldn’t enable someone else to access the target.
Non-NOBUS backdoors usually entail unauthenticated webshells or backdoors that leverage a simple handshake before accepting commands. A decent RE can replicate the handshake and use the same functionality enabled by the attackers.
In this case, it seems the IR devs had implemented auth but since Turla gained access to encryption keys + understanding the protocol used by the ASPX shell, Turla operators could leverage access as their own.
Turla’s compromise of Iranian ops gets more interesting with the revelation of further access to specific operational infrastructure. The mention of PoisonFrog should raise alarms for those that followed the Lab Dookhtegan leaks back in April.
Additionally, it seems Turla popped IR’s ‘operational infrastructure’ (unclear distinction whether CnC servers, op boxes, Dev boxes, or all) cementing a lasting claim on Iranian ops beyond a simple misconfigured server. (Active
The true a Fourth-Party collection loop is closed with the exfiltration of materials exfiled by the IR from their victims.

The final image is one of complete ownership of IR ops by the epic Turla.
Finally, the elephant in the room entails the vantage point NSA+GCHQ would’ve had to be in in order to gain these insights. While some of the initial warnings could’ve come from observing traffic to/from IR’s C2 infra or Symantec’s reporting re:Poison Frog+Turla deployment...
...their ability to comment on the placement of Turla implants within IR’s infrastructure + original development provenance of the backdoors entails the same or greater level of access.
Should not come as a surprise. Not the first time FVEY’s accesses Turla ops infra (refer to leaked CSEC slides under heading ‘MAKERSMARK: Designed by geniuses, Implemented by morons’ where passive collection allowed identification of ops/dev traffic despite anonymization network)
Established mature threat actor ‘best practices’ include victim box deconfliction measures intended to provide situational awareness and avoid overlaps with friends, frienemies, and antagonists. For more on this, refer to: github.com/juanandresgs/p…
And for our original work on Fourth-Party Collection, you can find the paper here: github.com/juanandresgs/p…
Finally, private sector owes gratitude to @NSAGov + @NCSC’s willingness to disclose. As I’ve argued before, only the SIGINT giants are in a position to accurately describe these complex dynamics. Public disclosure maims their abuse potential for unwanted tertiary effects. /thread
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with J. A. Guerrero-Saade

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!