Russia threat group Turla is thought to have hijacked tools and infrastructure of Iranian state hackers
Russia has rejected media reports suggesting that Russian state hackers hijacked Iranian security services’ hacking tools and infrastructure to attack governments and organisations across the world.
“These publications are an unsavoury interpretation of a concise report of the British National Cyber Security Centre and the American National Security Agency,” a spokesman for the Russian embassy in London stated on the organistaion’s website, according to Reuters.
These publications are an unsavoury interpretation of a concise report of the NCSC and NSA
The spokesperson added that no security agency had accused Russia or Russian citizens of carrying out cyber attacks against their country.
The Russian embassy spokesman described the media reports as an attempt to “drive a wedge” between Russia and Iran.
Earlier this week, advisories jointly released by UK and US intelligence claimed that the Russian group called ‘Turla’, also known as Venomous Bear, Snake and Group 88, had used the tools and infrastructure of Iranian threat group APT34 to attack government organisations in at least 20 countries over the past 18 months.
While intelligence officials have no evidence of any collusion between Turla and APT34, they said that Turla hijacked APT34’s infrastructure to “masquerade as an adversary which victims would expect to target them”.
“Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus’. In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups,” claimed the UK National Cyber Security Centre (NCSC).
After gaining access to APT34’s tools, Turla used Iranian hackers’ command and control systems to deploy its own malicious code.
Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus’
The hacking campaign largely targetted countries in the Middle East, according to the NCSC, although it also targeted some organisations in the UK.
Paul Chichester, NCSC director of operations, said that the campaign indicates that state-backed hackers are using new tactics to better cover their tracks.
Chichester added that the purpose of its advisory was to raise awareness in the UK industry about the activities of adversaries and to make it harder for them to launch cyber attacks.
We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them
“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” said Chichester.
Turla’s alleged act of hijacking Iranian tools and infrastructure also shows the dangers of wrongly attributing cyber attacks, British officials warned.