Russian hackers hijacked Iranian cyber espionage infrastructure to attack government and industry organisations in dozens of countries while pretending to be Iranian cyber attackers.
The Turla group, also known as VENOMOUS BEAR, infiltrated the systems of Iranian cyber criminals to launch attacks on Western targets, according to a joint report by the National Cyber Security Centre (NCSC) and National Security Agency (NSA).
Analysis by the two agencies revealed the Russian-linked group acquired a pair of tools associated with Iranian hackers, namely Neuron and Nautilus, as well as the data linked with it.
Turla then tested these tools against victims it had already compromised, before turning its attention towards new victims. Hackers scanned target organisations for backdoors planted by Iranian cyber criminals in order to exploit them and gain a foothold.
"The behaviour of Turla in scanning for backdoor shells indicates that whilst they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed," the NCSC said in an advisory.
"While attribution of attacks and proving authorship of tools can be very difficult particularly in the space of incident response on a victim network the weight of evidence demonstrates that Turla had access to Iranian tools and the ability to identify and exploit them to further Turla's own aims."
The volume of cyber attacks emanating from both Russia and Iran have risen substantially in recent months and years, as geopolitical tensions with the US have escalated.
Microsoft, for example, disclosed data in July suggesting that approximately 10,000 of its customers were targeted by state-sponsored attacks during the 12 months. Further analysis showed these attackers were predominately launched by five groups divided between three nations; Iran, Russia, and North Korea.
Analysis by the NCSC and NSA shows that the Neuron and Nautilus tools, deployed by Turla, were first seen deployed with the Snake rootkit on a range of victims. Followup investigations have shown inconsistencies, however, with these tools also deployed on a large cluster of victims in the Middle East, but not all in conjunction with the Snake implant.
Breaking this down further, it became clear to investigators that these victims were targeted by cyber criminals using virtual private server (IP) addresses linked with Iranian hackers. Furthermore, Iranian cyber criminals were actually the first to deploy these tools, with Turla piggybacking off them subsequently.
Turla, moreover, accessed and used the command and control (C2) infrastructure of Iranian hacking groups to launch its own attacks. The group also deployed its own implants against the infrastructure used by Iranian groups, using this to further their own access into the global operational infrastructure and to exfiltrate data.
-
Building enduring channel partnerships in a multi-generational IT environmentIndustry Insights Partners are evolving from sellers to strategic advisors, prioritizing customer outcomes
-
What can AI do to empower those working in the legal sector today, tomorrow, and beyond?Supported AI is transforming the legal profession — from streamlining today’s workflows to shaping tomorrow’s strategies. For firms, the choice is clear: embrace trusted AI tools now or risk falling behind in a rapidly evolving landscape
-
Foreign states ramp up cyberattacks on EU with AI-driven phishing and DDoS campaignsNews ENISA warns of hacktivism, especially through DDoS attacks
-
A new 'top-tier' Chinese espionage group is stealing sensitive datanews Phantom Taurus has been operating for two years and uses custom-built malware to maintain long-term access to critical targets
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
Three ways to evolve your security operationsWhitepaper Why current approaches aren’t working
-
Beat cyber criminals at their own gameWhitepaper A guide to winning the vulnerability race and protection your organization
-
Quantifying the public vulnerability market: 2022 editionWhitepaper An analysis of vulnerability disclosures, impact severity, and product analysis
-
Same cyberthreat, different storyWhitepaper How security, risk, and technology asset management teams collaborate to easily manage vulnerabilities
-
Business value of ServiceNow security operationsWhitepaper Experience transformational gains from automating workflows and data-sharing among IT, security, and risk teams to rapidly remediate threats
