Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

US, UK: Russian Hackers Hijacked Iranian Malware, Infrastructure

The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers.

The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers.

The NCSC, which is part of the United Kingdom’s Government Communications Headquarters (GCHQ) intelligence agency, previously published two reports summarizing Turla’s use of malware tracked as Neuron and Nautilus.

In a new joint report, the NSA and NCSC say Neuron and Nautilus appear to be of Iranian origin and their authors are “almost certainly” not aware that their tools have been used by Turla. And even if they are aware, the Russian hackers likely hijacked the tools rather than collaborating with the Iranian hackers.

According to the intelligence agencies, Turla initially used the Iranian malware against targets whose systems they had already compromised using the group’s Snake toolkit.

Attacks have been spotted against entities in over 35 countries. A majority of the victims, including government organizations, were located in the Middle East, and researchers determined that the attackers managed to steal documents from their systems.

The use of Iranian malware by Turla might have led some of the victims to believe that Iran was behind the attacks, when it was more likely Russia.

“While attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of incident response on a victim network – the weight of evidence demonstrates that Turla had access to Iranian tools and the ability to identify and exploit them to further Turla’s own aims,” the NSA and NCSC advisory reads.

Paul Chichester, the NCSC’s director of operations, commented, “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.”

Advertisement. Scroll to continue reading.

The American and British intelligence agencies believe Turla hijacked not only command and control (C&C) infrastructure from Iranian hackers, but also operational infrastructure.

The fact that Turla leveraged C&C infrastructure set up by an Iran-linked threat actor known as OilRig and APT34 was mentioned a few months ago by cybersecurity firm Symantec, which noted that it was likely a hostile takeover.

The NSA and NCSC believe that Turla used its own malware to compromise operational infrastructure used by an Iranian advanced persistent threat (APT) group. This allowed the Russian cyberspies to obtain a lot of useful information, including lists of victims and credentials that provided access to their systems, and malware source code. By obtaining the source code for tools such as Neuron and Nautilus, Turla could modify the malware to communicate with its own C&C servers.

Related: Turla Linked to One of the Earliest Cyberespionage Operations

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...