Connect with us

Hi, what are you looking for?



US, UK: Russian Hackers Hijacked Iranian Malware, Infrastructure

The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers.

The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers.

The NCSC, which is part of the United Kingdom’s Government Communications Headquarters (GCHQ) intelligence agency, previously published two reports summarizing Turla’s use of malware tracked as Neuron and Nautilus.

In a new joint report, the NSA and NCSC say Neuron and Nautilus appear to be of Iranian origin and their authors are “almost certainly” not aware that their tools have been used by Turla. And even if they are aware, the Russian hackers likely hijacked the tools rather than collaborating with the Iranian hackers.

According to the intelligence agencies, Turla initially used the Iranian malware against targets whose systems they had already compromised using the group’s Snake toolkit.

Attacks have been spotted against entities in over 35 countries. A majority of the victims, including government organizations, were located in the Middle East, and researchers determined that the attackers managed to steal documents from their systems.

The use of Iranian malware by Turla might have led some of the victims to believe that Iran was behind the attacks, when it was more likely Russia.

“While attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of incident response on a victim network – the weight of evidence demonstrates that Turla had access to Iranian tools and the ability to identify and exploit them to further Turla’s own aims,” the NSA and NCSC advisory reads.

Advertisement. Scroll to continue reading.

Paul Chichester, the NCSC’s director of operations, commented, “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.”

The American and British intelligence agencies believe Turla hijacked not only command and control (C&C) infrastructure from Iranian hackers, but also operational infrastructure.

The fact that Turla leveraged C&C infrastructure set up by an Iran-linked threat actor known as OilRig and APT34 was mentioned a few months ago by cybersecurity firm Symantec, which noted that it was likely a hostile takeover.

The NSA and NCSC believe that Turla used its own malware to compromise operational infrastructure used by an Iranian advanced persistent threat (APT) group. This allowed the Russian cyberspies to obtain a lot of useful information, including lists of victims and credentials that provided access to their systems, and malware source code. By obtaining the source code for tools such as Neuron and Nautilus, Turla could modify the malware to communicate with its own C&C servers.

Related: Turla Linked to One of the Earliest Cyberespionage Operations

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...