VERY IMPORTANT

Previous advisories from the NCSC detailed Turla’s use of Neuron and Nautilus implants and an ASPX-based backdoor alongside the Snake rootkit. This document provides an update on the reported activity, with a particular focus on how those tools were used in the period leading up to, and following, the publication of those advisories. Since those advisories were published, the NCSC, NSA and partner-shared analysis of additional victims and infrastructure determined the Neuron and Nautilus tools were very likely Iranian in origin. Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their implants.