Russian Turla group masqueraded as Iranian hackers in attacks

The Russian hacker group Turla disguised itself as Iranians and stole state secrets from multiple countries, authorities from the U.S. and U.K. said Monday. 

“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign,” Paul Chichester, director of operations at GCHQ's National Cyber Security Centre, said in a release. “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.”

“The joint response from the NCSC and the NSA is clearly meant to send a message to hostile APT groups that they will attribute an attack accurately, even if substantial steps to obfuscate the actor’s origins are taken,” said Richard Gold, head of security engineering at Digital Shadows.

But while attribution “is great for pointing fingers and laying blame" and titillating the media, “during an active attack, it doesn’t matter who is attacking you or why,” said Chris Morales, head of security analytics at Vectra. “All that matters is that someone is attacking you, that you are aware of the attack, and determining what you are going to do about it.”

In an 18-month campaign, Turla, aka Uroboros, “acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” said Chichester. They were able to infiltrate systems of organizations located in more than 35 countries. 

The Russian hackers, in some cases, seemed to use an IP address associated with Iran’s APT34, or OilRig, group to deploy an implant, which they later accessed from Turla, or Venomous Bear, which a joint advisory from the NCSC and the National Security Agency (NSA) said suggested “Turla effectively took control of victims previously compromised by a different actor.”

Other implants “had previously been connected to by Virtual Private Server (VPS) IP addresses associated in the open source cybersecurity community with Iranian APT groups,” the advisory said.

Once Turla had acquired tools and the data needed to use them, it “first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims,” the security agencies explained. “Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold. The focus of this activity from Turla was largely in the Middle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap.”

An analysis of Turla’s behavior in scanning for Iranian backdoors, as well as the timeline, suggest that while the Neuron and Nautilus tools used by the group originated in Iran, the advisory said, “Turla were using these tools and accesses independently to further their own intelligence requirements” with the scanning for backdoor shells indicating the Russian hackers “did not have full knowledge of where they were deployed.”

The NCSC had previously put out advisories in 2017 and 2018 on Turla’s use of Neuron and Nautilus, employed in some cases along with Snake. Subsequent analysis found that the tools had been used against a wide swath of victims, with a heavy concentration in the Middle East. Among the victims in those attacks were military groups, government departments, scientific organizations and universities.

In a June blog post, experts from Symantec chronicled three campaigns, targeting 13 organizations in the government, education and IT/communications sectors, across five global regions, in which Turla likely hijacked the command-and-control infrastructure of OilRig to deliver a custom backdoor to intended victims.

Hijacking or piggybacking onto another hacking group's efforts has grown more commonplace. "APT groups from various backgrounds have been observed compromising each other’s infrastructure as it provides the double benefit of not only hiding your own tracks but also providing you with immediate access to all the targets that the original threat actor has compromised,” said Gold. “There may even be a self-defence angle to this attack. By compromising another APT group, like APT34, the Turla group can see if any of their own infrastructure or assets were attacked by APT34.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.