Written by Sean Lyngaas

Like any group of spies or soldiers, state-sponsored hacking groups are acutely interested in what their peers are using. Servers, domains and other digital tools can be contested resources just like others in in espionage or warfare.

And there’s no guarantee that any group can keep a tight grip on its own internet infrastructure. In documenting how Turla, a Russia-linked outfit, hijacked the server of OilRig, a group associated with Iran, new research from Symantec shows what that overlap looks like in action.

“This is the first time Symantec has observed one actor hijack another’s infrastructure,” said Alexandrea Berninger, senior cyber intelligence analyst at Symantec. “Although we don’t expect this to become a common tactic, we do expect to see deceptive operations like this amongst the most capable threat actor groups.”

The apparently hostile takeover took place in January 2018, when a computer in a Middle Eastern government organization downloaded a variant of the credential-stealing tool Mimikatz from a server previously controlled by OilRig, Symantec told CyberScoop.

It was an opportunistic move from Turla, which used OilRig’s own control panel to compromise the government target. Based on recent leaks of OilRig data, that control panel appears vulnerable, the researchers said. OilRig, which Symantec calls Crambus, was on the Middle Eastern government’s network first, starting at least in November 2017, but there is no evidence that the Iranian-linked group reacted to the hijacking.

While it’s possible the two groups were collaborating, Symantec said it found no evidence to support that possibility. Both are categorized as advanced persistent threats (APTs) by security researchers.

The takeover of OilRig’s server was part of a series of active campaigns carried out by Turla — which is reportedly tied to Russia’s FSB intelligence service — in the last year and half against 13 organizations across 10 countries, according to Symantec. Targets have included government ministries in Europe, Latin America, the Middle East, and South Asia, along with organizations in the IT and education sectors. The hackers have brandished a “swath of new tools,” including custom malware, the researchers said.

The commandeering of another group’s infrastructure makes it hard for analysts to pinpoint the culprit and, potentially, for organizations to defend against what they believe it to be a different set of hackers, Berninger told CyberScoop.

The researchers believe the Mimikatz variant is unique to Turla (which Symantec calls Waterbug), a group known for a 2015 hacking spree that infected victims in 45 countries. The last time that variant surfaced was in 2017, against a target in the British education sector, according to Symantec.

“By changing their tools and tactics, Waterbug is able to deeply infiltrate an organization and maintain that access over a long period of time even if some of their tools or infrastructure are identified,” Berninger said. “Because of this, we don’t often see widespread use of any one tool.”