Suspected Russia-linked hackers have attacked dozens of countries, including Britain, disguised as Iranian cyber spies, UK and US intelligence agencies have revealed.

They have accused the Turla group - allegedly based in Russia - of letting an Iranian hacking outfit take the blame for a spate of cyber espionage after gaining access to its cyber tools and infrastructure and piggybacking on its hacking exploits.

This gave the alleged Russia-linked actors access to the secrets of a number of governments and other entities, mainly in the Middle East, already allegedly compromised by the Iranians.

The suspected Russian hackers became so well-versed in the methods used by the group - known as APT34 or OilRig - that they were able to launch their own cyberattacks posing as the Iranians, according to the UK's National Cyber Security Centre (NCSC).

This meant victims that initiated investigations to find out who targeted them would more likely blame the Iran-linked group when actually the culprit was the Russia-linked group.


"Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign," said Paul Chichester, the NCSC's director of operations.

"We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.

"Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims."

One of the alleged targets was a British academic organisation that has not been publicly named.

That attack is what enabled the NCSC, part of GCHQ, to start unpicking the puzzle and discovering how the suspected Russians were effectively hacking Iranian hackers.

Mr Chichester described the ploy as "unique in the complexity of skills and sophistication".

Officials from the NCSC worked with their counterparts at the US National Security Agency (NSA) to investigate the suspected Russian activity, though the operation was mainly British. The investigation began in late 2017.

Both agencies have released advisories on their findings to raise awareness among businesses and the public to the risk of incorrect attribution.

The relatively rare public joint action - calling out the alleged cyber espionage of a suspected Russia-linked group - is also aimed at deterring such activity, Mr Chichester said.

The NCSC said it had found cyberattacks against more than 35 countries - including at least 20 that were successful - appeared to have originated from Iranian-linked hackers but were in fact launched by the suspected Russian-linked group.

Turla is accused of regularly collecting intelligence by targeting government, military, technology, energy and commercial organisations.

There is no suggestion the Iranians knew or were complicit in their systems being allegedly hacked by the Turla group, Mr Chichester said.

A report released in June by the cyber security company Symantec first alleged Turla, also known as Waterbug, had gained access to the servers belonging to APT34.

But today's announcement is the first time the British and US governments have made this claim and the first time the scale of the attacks and their apparent success rate has been revealed.