tHE Russian hacker group Turla disguised itself as Iranians and stole state secrets from multiple countries, authorities from the U.S. and U.K. said Monday.
“Identifying those responsible for attacks
can be very difficult, but the weight of evidence points towards the Turla
group being behind this campaign,” Paul Chichester, director of operations
at GCHQ’s National Cyber Security Centre, said in a release. “We
want to send a clear message that even when cyber actors seek to mask their
identity, our capabilities will ultimately identify them.”
In an 18-month campaign, Turla, aka
Uroboros, “acquired access to Iranian tools and the ability to identify
and exploit them to further their own aims,” said Chichester. They were able to
infiltrate systems of organizations located in more than 35 countries.
The Russian hackers, in some cases, seemed
to use an IP address associated with Iran’s APT34, or OilRig, group to deploy an
implant, which they later accessed from Turla, or Venomous Bear, which a joint advisory
from the NCSC and the National Security Agency (NSA) said suggested “Turla
effectively took control of victims previously compromised by a different
Other implants “had previously been connected
to by Virtual Private Server (VPS) IP addresses associated in the open source
cybersecurity community with Iranian APT groups,” the advisory said.
Once Turla had acquired tools and the data
needed to use them, it “first tested them against victims they had already
compromised using their Snake toolkit, and then deployed the Iranian tools
directly to additional victims,” the security agencies explained. “Turla sought
to further their access into victims of interest by scanning for the presence
of Iranian backdoors and attempting to use them to gain a foothold. The focus
of this activity from Turla was largely in the Middle East, where the targeting
interests of both Advanced Persistent Threats (APTs) overlap.”
An analysis of Turla’s behavior in scanning
for Iranian backdoors, as well as the timeline, suggest that while the Neuron
and Nautilus tools used by the group originated in Iran, the advisory said, “Turla
were using these tools and accesses independently to further their own
intelligence requirements” with the scanning for backdoor shells indicating the
Russian hackers “did not have full knowledge of where they were deployed.”
The NCSC had previously put out advisories in
2017 and 2018
on Turla’s use of Neuron and Nautilus, employed in some cases along with Snake.
Subsequent analysis found that the tools had been used against a wide swath of
victims, with a heavy concentration in the Middle East. Among the victims in
those attacks were military groups, government departments, scientific
organizatiorns and universities.
In a June blog post, experts from Symantec chronicled three campaigns, targeting 13 organizations
in the government, education and IT/communications sectors, across five global
regions, in which Turla likely hijacked the command-and-control infrastructure
of OilRig to deliver a custom backdoor to intended victims.