Iranian hacking tools hijacked by Turla group to perform cyber-espionage

Russian hackers masqueraded as Iranian threat group OilRig by using its tools to perform spying attacks in 35 countries, says NSA and NCSC

Security agencies warn about Turla hacking groupDozens of countries are spied on by Rusian state-backed hacking group.

The joint advisory[1] on Turla group activity published on Monday revealed that Russian state-backed hackers performed their own attacks against 35 countries with espionage tools developed by Iranian threat groups.[2] The National Security Agency and the United Kingdom National Cyber Security Centre analyzed advanced persistent threat group Turla that is indicated as the Russian hacker team. The release was an update to the previous report issued in January 2018.[3]

These malicious campaigns focused on cyber-espionage targeted a wide range of victims all over the world. Turla victimized government institutions, corporations, research entities, as well as military and education sectors located mainly in the Middle East. The reports also state that the hacker group has compromised the Iranian APT group's infrastructure and resources to obtain OilRig developed hacking tools and steal information about previous victims.

Turla uses Neuron and Nautilus exploit tools to steal valuable data

The Russian threat group is known by many names due to different attacks it performed: Snake, Uroburos, Waterbug, Venomous Bear, but the most distinct feature about Turla is the relation to the Russian government.[4] In these recent attacks, malware creators mainly used spyware tools Neuron and Nautilus that are known to be developed by the Iranian hacker group known as OilRig, APT 34 or Crambus.

The NSA advisory states about some victims affected by the Snake tool also, but the main campaign used tools acquired from Iranian hackers by compromising their infrastructure:

Turla also made use of existing Snake victim networks to scan for the ASPX shell described in the initial advisory – attempting to identify the presence of, and access, the ASPX webshell on IP addresses in at least 35 countries, including Saudi Arabia, Kuwait, Qatar and UAE.

From victim reports, researchers managed to recover files that revealed more details. A log file was recovered and showed that hackers launched commands to the ASPX shell in encrypted HTTP Cookie values to produce valid tasks and interact with them.

Compromised Iranian C2 and Operational Infrastructures

Rootkits got implanted on the hacked operation infrastructure to gather information on victims, military establishments, government institutions, universities, and other organizations that can be valuable victims. This Russia-linked group also exploited command and control servers of Iranian APTs to obtain data about potential targets. Also, this technique was used to steal information from keyloggers that OilRig initially used.

OilRig is almost certainly not aware of the activity and espionage campaigns Turla has held.

This access gave a significant advantage for Russian threat actors because tactics, techniques, and hacking procedures of the Iranian APT were analyzed, allowing them to view lists of victims, as well as credential details to access the infrastructure to perform massive malware and cyber-espionage campaigns later on.

This incident showed that “hacking the hackers” scenario is highly likely in the future, as Russian cybercriminals managed to steal tools used by other prominent group and use them for their own goals and also get away with it by doing so.[5]

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions