Russian Turla group masqueraded as Iranian hackers in attacks

News by Teri Robinson

Russian hacker group Turla disguised itself as Iranians and stole state secrets from multiple countries, UK, US authorities say

The Russian hacker group Turla disguised itself as Iranians and stole state secrets from multiple countries, authorities from the US and UK said. 

"Identifying those responsible for attacks can be very difficult, but?the weight of evidence points towards the Turla group being behind this campaign," Paul Chichester, director of operations at GCHQ’s National Cyber Security Centre, said in a release. "We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them."

"The joint response from the NCSC and the NSA is clearly meant to send a message to hostile APT groups that they will attribute an attack accurately, even if substantial steps to obfuscate the actor’s origins are taken," said Richard Gold, head of security engineering at Digital Shadows.

But while attribution "is great for pointing fingers and laying blame" and titillating the media, "during an active attack, it doesn’t matter who is attacking you or why," said Chris Morales, head of security analytics at Vectra. "All that matters is that someone is attacking you, that you are aware of the attack, and determining what you are going to do about it."

In an 18-month campaign, Turla, aka Uroboros, "acquired access to Iranian tools and the ability to identify and exploit them to further their own aims," said Chichester. They were able to infiltrate systems of organisations located in more than 35 countries. 

The Russian hackers, in some cases, seemed to use an IP address associated with Iran’s APT34, or OilRig, group to deploy an implant, which they later accessed from Turla, or Venomous Bear, which a joint advisory from the NCSC and the National Security Agency (NSA) said suggested "Turla effectively took control of victims previously compromised by a different actor."

Other implants "had previously been connected to by Virtual Private Server (VPS) IP addresses associated in the open source cybersecurity community with Iranian APT groups," the advisory said.

Once Turla had acquired tools and the data needed to use them, it "first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims," the security agencies explained. "Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold. The focus of this activity from Turla was largely in the Middle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap."

An analysis of Turla’s behavior in scanning for Iranian backdoors, as well as the timeline, suggest that while the Neuron and Nautilus tools used by the group originated in Iran, the advisory said, "Turla were using these tools and accesses independently to further their own intelligence requirements" with the scanning for backdoor shells indicating the Russian hackers "did not have full knowledge of where they were deployed."

The NCSC had previously put out advisories in 2017 and 2018 on Turla’s use of Neuron and Nautilus, employed in some cases along with Snake. Subsequent analysis found that the tools had been used against a wide swath of victims, with a heavy concentration in the Middle East. Among the victims in those attacks were military groups, government departments, scientific organisations and universities.

In a June blog post, experts from Symantec chronicled three campaigns, targeting 13 organisations in the government, education and IT/communications sectors, across five global regions, in which Turla likely hijacked the command-and-control infrastructure of OilRig to deliver a custom backdoor to intended victims.

Hijacking or piggybacking onto another hacking group’s efforts has grown more commonplace.

"APT groups from various backgrounds have been observed compromising each other’s infrastructure as it provides the double benefit of not only hiding your own tracks but also providing you with immediate access to all the targets that the original threat actor has compromised," said Gold.

"There may even be a self-defence angle to this attack. By compromising another APT group, like APT34, the Turla group can see if any of their own infrastructure or assets were attacked by APT34."

Threat groups often compromise legitimate infrastructure, but compromising a rival attacker group is not a common thing, noted Tarik Saleh, senior security engineer at DomainTools.

"One concept that attackers don’t always put enough effort into designing is how to protect their own attacker infrastructure and tools. There is a lot of depth into finding vulnerabilities, writing exploits and establishing command and control servers but it’s not uncommon to overlook the security posture of that same network," he told SC Media UK.

"In this case, Turla took advantage of the Iranian threat groups' weak security controls and used their own infrastructure to advance their goals and motives."

The original version of this article was published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews