The Turla group, also known as Waterbug or VENOMOUS BEAR, is widely reported to be associated with Russian actors. Turla uses a range of tools and techniques to target government, military, technology, energy and commercial organisations for the purposes of intelligence collection. Turla’s use of Neuron and Nautilus implants and an ASPX-based backdoor alongside the Snake rootkit.
After acquiring the tools – and the data needed to use them operationally – Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims. Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold. The focus of this activity from Turla was largely in the Middle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap.
Block all threat indicators at your respective controls.