The NCSC has produced technical analysis on the Turla group, a prevalent cyber threat group targeting the UK. The report contains indicators of compromise for tools used by the group, and signatures that will enable the information security community to search for the intrusions on their networks.
The NCSC has observed the Turla group using the Neuron and Nautilus malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers. These tools are being used to maintain persistent network access and to conduct operations that compromise networks for the purposes of intelligence collection.
The NCSC’s technical analysis has also revealed both Neuron and Nautilus being used in conjunction with the Snake rootkit. In a number of instances, one or both of these tools has been deployed following the successful installation of Snake. The NCSC believes that Neuron and Nautilus are another component of the wider Turla campaign and are not acting as replacements for the Snake rootkit. It is likely that these tools have seen wider deployment since the Snake rootkit has been reported on by the information security industry, providing the group with additional methods of access.
The Turla group target government, military, technology, energy and commercial organisations and they are known to have operated on targets using a rootkit known as Snake for many years. Like Neuron and Nautilus, Snake provides a platform to steal sensitive data, acts as a gateway for internal network operations and is used to conduct onward attacks against other organisations. The group is experienced in maintaining covert access through incident response activities. They infect multiple systems within target networks and deploy a diverse range of tools to ensure that they retain a foothold in a victim's system even after the initial infection vector has been mitigated.
This advisory provides information to detect Neuron and Nautilus infections. The NCSC encourages any organisation that has previously experienced a compromise by the Turla group to be diligent in checking for the presence of these additional tools. Whilst they are commonly deployed alongside the Snake rootkit, these tools can also be operated independently
Download the advisory as a PDF using the 'downloads' tab above or, alternatively, download the advisory here.