The NCSC has produced technical analysis on the Turla group, a prevalent cyber threat group targeting the UK. The report contains indicators of compromise for tools used by the group, and signatures that will enable the information security community to search for the intrusions on their networks.
The NCSC has observed the Turla group using the Neuron and Nautilus malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers. These tools are being used to maintain persistent network access and to conduct operations that compromise networks for the purposes of intelligence collection.
The NCSC’s technical analysis has also revealed both Neuron and Nautilus being used in conjunction with the Snake rootkit. In a number of instances, one or both of these tools has been deployed following the successful installation of Snake. The NCSC believes that Neuron and Nautilus are another component of the wider Turla campaign and are not acting as replacements for the Snake rootkit. It is likely that these tools have seen wider deployment since the Snake rootkit has been reported on by the information security industry, providing the group with additional methods of access.
The Turla group target government, military, technology, energy and commercial organisations and they are known to have operated on targets using a rootkit known as Snake for many years. Like Neuron and Nautilus, Snake provides a platform to steal sensitive data, acts as a gateway for internal network operations and is used to conduct onward attacks against other organisations. The group is experienced in maintaining covert access through incident response activities. They infect multiple systems within target networks and deploy a diverse range of tools to ensure that they retain a foothold in a victim's system even after the initial infection vector has been mitigated.
In November 2017, the NCSC released an advisory highlighting the Turla Group’s use of the tools Neuron and Nautilus.
Since then, the NCSC has identified a new version of the Neuron malware. The new version has been modified to evade previous detection methods.
Neuron operates on Microsoft Windows platforms, primarily targeting mail servers and web servers. The NCSC has observed this tool being used by the Turla group to maintain persistent network access and to conduct network operations.
The compile times contained within these new binaries show that the actor implemented the required modifications to Neuron approximately five days after public releases by the NCSC and other vendors.
This NCSC report provides new intelligence on the Neuron malware, a tool used by the Turla group to target the UK. It contains IOCs and signatures for to be used for network monitoring and detection. You can download the update report from the 'downloads' tab at the top of this page.
This advisory provides information to detect Neuron and Nautilus infections. The NCSC encourages any organisation that has previously experienced a compromise by the Turla group to be diligent in checking for the presence of these additional tools. Whilst they are commonly deployed alongside the Snake rootkit, these tools can also be operated independently
Download the advisory as a PDF using the 'downloads' tab above or, alternatively, download the advisory here.