Connect with us

Hi, what are you looking for?



Russia-Linked Hackers Hijack Infrastructure of Iranian Threat Group

Russia-Linked Hackers Use New Toolset and Likely Took Over Servers Operated by Iran-Linked “OilRig” Threat Group

Russia-Linked Hackers Use New Toolset and Likely Took Over Servers Operated by Iran-Linked “OilRig” Threat Group

Three recent campaigns associated with the cyber-espionage group Turla employed different tools, revealing a rapidly evolving portfolio, Symantec reports. 

Also known as Waterbug, KRYPTON and Venomous Bear, Turla is a Russia-linked threat group active for more than 10 years and mainly focused on cyber-espionage operations. 

The group’s activity over the past year and a half continued unhindered, with at least three distinct campaigns identified recently, each using a different toolset. One of them employed a previously unseen backdoor, a second one used three different backdoors, while the third deployed a custom RPC backdoor. 

Dubbed Neptun, the backdoor used in the first campaign is installed on Microsoft Exchange servers as a service and passively listens for commands. The threat, Symantec says, can download additional tools, upload stolen files, and execute shell commands.

A second campaign involved the use of Meterpreter, a publicly available backdoor along with two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor. In this campaign, Turla has used a modified version of Meterpreter, encoded and given a .wav extension to disguise its true purpose.

As part of the third campaign, the threat actor used a custom RPC backdoor (different from the version observed in the second campaign) that packed code derived from the PowerShellRunner tool to execute PowerShell scripts and bypass detection. 

Advertisement. Scroll to continue reading.

Other tools leveraged by the hackers in these attacks include a custom dropper to install Neptun, a hacking tool that combines four NSA tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch), a USB data collecting tool, Visual Basic scripts for reconnaissance, PowerShell scripts for reconnaissance and credential theft, and publicly available tools (IntelliAdmin, SScan, NBTScan, PsExec, Mimikatz, and Certutil.exe).

The campaigns targeted governments and international organizations across the globe, as well as entities in the IT and education sectors. 

Since early 2018, Turla targeted 13 organizations across 10 different countries, including the Ministries of Foreign Affairs of countries in Latin America, Middle East, and Europe, the Ministry of the Interior of a South Asian country, two government organizations in the Middle East and one in Southeast Asia, and a government office of a South Asian country based in another country. 

The group also attacked information and communications technology organizations in the Middle East, Europe, and South Asia, a multinational organization in a Middle Eastern country, and an educational institution in a South Asian country. 

One of the attacks identified as part of the first campaign stood out in the crowd for the use of infrastructure belonging to the Iran-linked espionage group known as OilRig (APT34, Crambus). Due to lack of evidence to suggest a collaboration between the groups, Symantec believes this was a hostile takeover. 

Using the hijacked infrastructure, the actor downloaded a custom variant of Mimikatz onto a victim’s machine. This variant appears unique to Turla and has been packed using a custom packing routine that has been also used on a group’s dropper, but not on non-Turla tools.

“This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown,” Symantec concludes. 

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Related: Turla Backdoor Controlled via Email Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...