Pierluigi Paganini October 21, 2019

A joint UK and US investigation has revealed that the Russian cyber espionage group Turla carried out cyber attacks masqueraded as Iranian hackers.

According to the Financial Times, a joint UK and US investigation revealed that Russia-linked cyberespionage group Turla conducted several cyber attacks in more than 35 countries masqueraded as Iranian hackers. The use of false flag operations in cyberspace is not a novelty, but this is the first time that Turla APT is adopting a similar strategy.

In 2018, the US intelligence agencies reported that Russian state-sponsored hackers used false flag attacks to hit the Winter Olympics in Pyeongchang, South Korea. At the time the hackers introduced lines of code in their malware associated with North-Korea linked Lazarus Group.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Experts involved in the investigation believe that the Turla group hijacked the tools of notorious Iran-linked APT group Oilrig since at least 2014. Its attacks are aligned with the strategic interests of Iran, the group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries.

Multiple attacks targeting of Middle Eastern financial, energy and government, lead FireEye to assess that those sectors are a primary concern of APT34. 

“The so-called Turla group, which has been linked with Russian intelligence, allegedly hijacked the tools of Oilrig, a group widely linked to the Iranian government, according to a two-year probe by the UK’s National Cyber Security Centre in collaboration with the US’ National Security Agency.” reported the FT.

The two-year investigation was conducted by the UK’s National Cyber Security Centre in collaboration with the US’ National Security Agency.

The experts believe that the Iranian cyberespionage group was unaware that its hacking methods have been hacked and used by another threat actors to hit military establishments, government departments, and universities across the world.

Paul Chichester, director of operations at NCSC explained that this is a major change in the Turla TTPs aimed at making it hard the attribution of the attacks.

“We have never seen this done to the level of sophistication that we are seeing here,” Mr Chichester said. “It’s unique in the complexity and scale and sophistication. It’s actually really hard masquerading [as another entity].” “This is becoming a very crowded space and we do see people innovate quite rapidly in that domain,”

The Russian Government did not respond to a request for comment from the Financial Times, it always denied its involvement in cyber attacks on other states.

In June, Symantec researchers revealed that Russia-Linked cyberespionage group Turla used a new toolset and hijacked command and control infrastructure operated by Iran-Linked OilRig APT.

Experts at Symantec observed in the last eighteen months at least three distinct campaigns, each using a different set of hacking tools. In one campaign the attackers used a previously unseen backdoor tracker as Neptun (Backdoor.Whisperer), the malicious code is deployed on Microsoft Exchange servers and passively listen for commands from the attackers.

Experts noticed that in one attack, Turla hackers used the infrastructure belonging to another espionage group tracked as Crambus (aka OilRig, APT34).  

The three recent Turla campaigns targeted governments and international organizations worldwide.

Unfortunately, Turla and other sophisticated APT groups have the cyber capabilities ùto hijack other state-sponsored groups making it impossible the attribution of the attacks.

Pierluigi Paganini

(SecurityAffairs – Turla, OilRig)

[adrotate banner=”5″]

[adrotate banner=”13″]