russiaIRON HUNTER
Objectives
Aliases
Tools
SUMMARY
The IRON HUNTER (also known as Turla) threat group primarily targets government, diplomatic and military organizations, including ministries of foreign affairs and embassies. It operates and maintains a large set of sophisticated malware, including the Snake rootkit, Agent.BTZ/ComRAT, Mosquito, and LightNeuron. CTU researchers assess with high confidence that IRON HUNTER is operated by a Russian intelligence service, and with moderate confidence that IRON HUNTER is operated by the FSB.
IRON HUNTER tactics include strategic web compromises, themed spearphishing lures, fake software update files, and the use of satellite communication hijacking for command and control. In 2019, the U.K. National Cyber Security Centre (NCSC) reported that the Neuron and Nautilus tools, previously linked in public reporting to IRON HUNTER, were instead very likely Iranian in origin, and had been acquired and operated by IRON HUNTER against targets predominantly in the Middle East. The NCSC also reported that IRON HUNTER had used Iranian web shells and COBALT GYPSY's PoisonFrog C2 administration panels to deliver its own malware.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.