False flags and masquerades

A Russian government-backed cyber threat group stole Iranian hacking tools and used them to conduct attacks against dozens of countries, western intelligence agencies allege.

An advanced Russian threat group, nicknamed ‘Turla’, used malware-based implants derived from suspected Iran-based hacking groups’ previous campaigns to run a wide-ranging cybercrime operation that disguised its origin.

In order to acquire these tools and access the infrastructure, Turla compromised the suspected Iran-based hacking groups themselves.

Victims, the majority of whom were based in the Middle East, suffered looted documents from various sectors, including governments, as a result of these attacks.

The cyber-attacks against more than 35 countries presented as the work of Iranian hackers from the OilRig group (APT34), but analysis by the UK’s National Cyber Security Centre (NCSC – a division of GCHQ) and US National Security Agency (NSA) revealed evidence to the contrary.

Cyber Inception

In a rare joint statement issued yesterday, the NCSC and NSA said Russian hackers essentially co-opted the infrastructure and utilities of an Iranian group to their own ends.

“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign,” explained Paul Chichester, the NCSC’s director of operations.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.

“Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” he added.


YOU MIGHT ALSO LIKE Region-specific software offers rich pickings for state-sponsored attackers


Part of the evidence that led to this conclusion was that, in some cases, malware implants first planted via an IP address associated with an Iranian APT group were later accessed from infrastructure associated with Turla, the suspected Russia-based group.

“Turla effectively took control of victims previously compromised by a different actor,” according to the NCSC.

Collusion between two cyber-spy operations who are both interested in the Middle East was unlikely, according to NSA/NCSC.

“Those behind [suspected Iran-backed campaigns] Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their implants,” according to a joint report from the NCSC and NSA highlighting Turla activity.

What’s in a name?

This latest report from the NCSC and NSA comes four months after Symantec went public with similar findings.

The US-based security outfit said that Turla (also known as ‘Waterbug’, ‘Venomous Bear’, and ‘Uroburos’) “may have hijacked a separate espionage group’s infrastructure during one attack against a Middle Eastern target” and named OilRig (APT34) as the victim.

The NCSC and the normally secretive NSA going public with their findings about a false flag operation may seem surprising, but is ostensibly designed to raise awareness of the practice among critical national infrastructure providers.

“Our main intent right here is to point out that there’s a lot of false flagging going on out there and we want to make sure our national security systems that we’re trying to defend are aware,” said Doug Cress, a division chief within the NSA’s newly formed Cybersecurity Directorate, Reuters reports.

Turla is an advanced hacking crew that has long targeted government, military, technology, energy, and commercial organisations. The group has elsewhere been linked with the Russian federal security service (FSB).

‘I drink your milkshake’ – Fourth-party collection

In the world of cyber-espionage, intel agencies piggybacking each other to achieve their objectives is not especially uncommon.

There’s even a term of art for the practice, ‘fourth-party collection’ – industry parlance first exposed by NSA whistleblower Edward Snowden.

The difficulties of attribution in cases where rival cyber-spy groups are hacking each other’s systems in order to throw analysts off the scent was covered in a well-received presentation by Juan Andrés Guerrero-Saade and Costin Raiu of Kaspersky at the Virus Bulletin conference in 2017.


RECOMMENDED Hacktivism returns to its roots as a cyber warfare tool