Russian Hackers Quietly Use Tools Created By Iranian Hackers To Spy On 35 Countries, Reports Said

23/10/2019

With the internet covering more parts of the world, more systems are connected to the network. As a result, not only that pubic information is abundance, as governments' secrets too, are more within reach.

This makes certain espionage to be less of a threat to personal well-being and life concerns, as spies can sit comfortably in front of their computers, thousands of miles from their targets.

In a report created by a joint investigation by the U.S. National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC), found that hackers have focused their activities largely within the Middle East.

Here, cybercriminals with ties to the Russian government have been found to have piggybacked on hacking tools like Neuron, Nautilus and Snake developed by Iranian threat groups, to spy and attack systems in 35 different countries.

Named Turla (or also known as Snake, Uroburos, Waterbug, or Venomous Bear), the hacking group is believed to be a state-backed APT.

And Turla here, has been using these tools to further their own aims, presumably without their creators' knowledge.

The U.S. National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC)

"The advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources," explained the NCSC, and "those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their implants."

The report also confirms previous research from Symantec back in June, which found one of Turla’s attacks to involve the use of infrastructure belonging to Iranian espionage collective known as APT 34 (aka OilRig or Crambus).

Aside from exploiting the Command and Control (C2) servers of Iranian APTs to deploy their own tools to victims of interest, the Kremlin-linked group also directly accessed ‘Poison Frog’ C2 panels from their own infrastructure, and used this access to task victims to download additional tools.

"Data exfiltrated from the Iranian infrastructure by Turla included directory listings and files, along with keylogger output containing operational activity from the Iranian actors, including connections to Iranian C2 domains."

"This access gave Turla unprecedented insight into the tactics, techniques and procedures (TTPs) of the Iranian APT, including lists of active victims and credentials for accessing their infrastructure, along with the code needed to build versions of tools such as Neuron for use entirely independently of Iranian C2 infrastructure."

In other words, Iranian hacking groups were hacked by another group.

And Turla here, is using the tools to spy on other countries and target even more victims, namely military establishments, government departments, scientific organisations, and universities.

Victims were first identified after some of the implants had been deployed and administered.

The findings found that Turla was connected using a Virtual Private Server (VPS) IP addresses previously associated with the Iranian APT groups.

"Interestingly, in some instances, it appeared an Iranian APT-associated IP address first deployed the implant, and later, Turla-associated infrastructure accessed the same implant," the reports said.

What this means, the two groups' targets overlap.

In order to initiate connections with the implants, Turla must have had access to relevant cryptographic keys, and likely had access to controller software to produce legitimate tasking. In other instances, Turla deployed Neuron to victims in which they already had access to via their Snake toolkit, all with observed connections from Turla-associated infrastructure.

This clearly demonstrates show sophisticated cyberattacks and cyberwarfare can be.