Russian-linked hackers known as the Turla group have been piggybacking on Iranian hackers’ tools and infrastructure for years now to run their own attacks, according to a joint announcement Monday from the National Security Agency and the U.K.’s National Cyber Security Centre.
A two-year long investigation revealed that the Turla group, which has been linked to Russian intelligence, scanned for the presence of Iranian-built backdoors, then used them to try gaining a foothold in victim networks in at least 35 countries, largely in the Middle East, according to the NSA. This announcement again demonstrates how hackers will use other attackers’ techniques, creating the false impression that one espionage group is behind an operation when, in fact, it’s another.
“Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” the NCSC’s Director of Operations, Paul Chichester, said in a statement.
Turla would run its own cyber-espionage operations using that Iranian access, by deploying its own implants, such as a rootkit, to gather information on victims, namely government outfits, military and technology organizations, and energy and commercial entities.
In some cases, the implant in question appeared to have been deployed first from an IP address associated with the Iranian cyber-espionage group known as OilRig. The Turla group’s infrastructure would then access that.
It’s an indication that Turla has had access to the cryptographic keys in order to make connections with the implants, according to the NSA and the NCSC, an outfit of the U.K.’s Government Communications Headquarters, the U.K.’s signals intelligence agency.
But it doesn’t mean they’re working together
The NSA and NCSC assess it is almost certain that the Iranian cyber-espionage group has been unaware of the Russians’ hijacking of their implants, known as Neuron and Nautilus.
Meanwhile, Russians may not have initially known exactly where the OilRig implants were deployed, the NSA notes.
“Although they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed,” the advisory reads.
The joint investigation appears to confirm what the private sector has already revealed about Turla group. Symantec, for instance, reported in June that Turla apparent hijacked another group’s infrastructure to deliver malware on a victim’s network in the Middle East.
But this is a signal that government efforts to publicly identify hackers apparently will continue, even if they’re investigating apparent false flag operations.
“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” Chichester said.
It is also likely intended to send a signal to Russian intelligence that their efforts to hide their cyber-espionage weren’t successful, even though the NSA and NCSC didn’t directly link Turla to the Kremlin, tweeted Thomas Rid, a political scientist at Johns Hopkins’ School of Advanced International Studies.
“[C]atching Russian spies camouflaging as Iranian intel and using their gear is basically the digital equivalent of busting a crafty double agent in a third country, embarrassing two adversaries in one go,” Rid said.