Written by James Orme Mon 21 Oct 2019

Russian hackers accused of masquerading as Iranian APT group

Russian hackers disguised themselves as Iranian hackers to launch a cyber attack targeting government and industry organisations in 35 countries, British and US officials announced in a joint statement.

As part of the campaign, the Russian hacking group known as “Turla” used Iranian tools and infrastructure and employed the same techniques used by hacking groups associated with the Islamic Republic.

The group extracted sensitive documents and assets from a range of sectors and organisations, including a ‘large cluster’ based in the Middle East, officials said.

Turla also piggybacked on Iran-based hacking groups’ previous cyber attacks, ‘Neuron’ and ‘Nautilus’, which it accessed after compromising the Iran groups themselves, reinforcing the attacks’ appearance as Iranian in origin.

But British and US officials have revealed this was not the case and have identified Turla as the perpetrators, a group typically associated with the Russian state.

“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign,” said Paul Chichester, director of operations at the UK’s National Cyber Security Centre.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” he added.

The NCSC also said that in some instances Turla deployed the first implant using an IP address associated with an Iranian APT group, suggesting Turla took control of systems previously compromised by a different actor.

In order to initiate connections with the implants, Turla must have had access to relevant cryptographic key material, and likely had access to controller software in order to produce legitimate tasking, the NCSC said.

Russia-based Turla, also known as Waterbug or VENOMOUS BEAR, has been accused of regularly collecting information belonging government, military, technology, energy and commercial organisations.

The NCSC published two advisories on Turla’s use of Neuron and Nautilus cyber tools in late 2017 and early 2018.