Now that we’ve had some time to reflect, let’s break down the @NCSC & @NSAGov Turla advisory #thread ncsc.gov.uk/news/turla-gro…
1st point is that we (private sector threat intel researchers) mistook the provenance of Neuron and Nautilus. NCSC’s previous advisory denounced the use of both tools alongside Turla’s staple rootkit and we assumed new tools from the Turla devs but it seems they’d been stolen. 
Keep in mind that the advisory is hinting at some dev access, some infrastructure access, but perhaps not complete access to Iran’s full operational stack. Turla first deploys the tool to their rootkit victims for testing and further functionality.
We enter the realm of fourth-party collection with a scenario @craiu and I described as ‘victim stealing’, where attacker A’s vulnerable backdoor design allows attacker B to identify and usurp victims, piggybacking on exfil or disabling A’s toolkit to replace it with their own.
This dynamic is entailed by the need for scanning to identify targets already infected by the Iranians
For those following along at home, this is precisely why mature threat actors emphasize the importance of NOBUS backdoor design (‘Nobody But Us’)— I.e. my backdoor shouldn’t enable someone else to access the target.
Non-NOBUS backdoors usually entail unauthenticated webshells or backdoors that leverage a simple handshake before accepting commands. A decent RE can replicate the handshake and use the same functionality enabled by the attackers.
In this case, it seems the IR devs had implemented auth but since Turla gained access to encryption keys + understanding the protocol used by the ASPX shell, Turla operators could leverage access as their own.
Turla’s compromise of Iranian ops gets more interesting with the revelation of further access to specific operational infrastructure. The mention of PoisonFrog should raise alarms for those that followed the Lab Dookhtegan leaks back in April.
Additionally, it seems Turla popped IR’s ‘operational infrastructure’ (unclear distinction whether CnC servers, op boxes, Dev boxes, or all) cementing a lasting claim on Iranian ops beyond a simple misconfigured server. (Active
The true a Fourth-Party collection loop is closed with the exfiltration of materials exfiled by the IR from their victims.
The final image is one of complete ownership of IR ops by the epic Turla.
The final image is one of complete ownership of IR ops by the epic Turla.
Finally, the elephant in the room entails the vantage point NSA+GCHQ would’ve had to be in in order to gain these insights. While some of the initial warnings could’ve come from observing traffic to/from IR’s C2 infra or Symantec’s reporting re:Poison Frog+Turla deployment...
...their ability to comment on the placement of Turla implants within IR’s infrastructure + original development provenance of the backdoors entails the same or greater level of access.
Should not come as a surprise. Not the first time FVEY’s accesses Turla ops infra (refer to leaked CSEC slides under heading ‘MAKERSMARK: Designed by geniuses, Implemented by morons’ where passive collection allowed identification of ops/dev traffic despite anonymization network)
Established mature threat actor ‘best practices’ include victim box deconfliction measures intended to provide situational awareness and avoid overlaps with friends, frienemies, and antagonists. For more on this, refer to: github.com/juanandresgs/p…
And for our original work on Fourth-Party Collection, you can find the paper here: github.com/juanandresgs/p…
