The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers.
The NCSC, which is part of the United Kingdom’s Government Communications Headquarters (GCHQ) intelligence agency, previously published two reports summarizing Turla’s use of malware tracked as Neuron and Nautilus.
In a new joint report, the NSA and NCSC say Neuron and Nautilus appear to be of Iranian origin and their authors are “almost certainly” not aware that their tools have been used by Turla. And even if they are aware, the Russian hackers likely hijacked the tools rather than collaborating with the Iranian hackers.
According to the intelligence agencies, Turla initially used the Iranian malware against targets whose systems they had already compromised using the group’s Snake toolkit.
Attacks have been spotted against entities in over 35 countries. A majority of the victims, including government organizations, were located in the Middle East, and researchers determined that the attackers managed to steal documents from their systems.
The use of Iranian malware by Turla might have led some of the victims to believe that Iran was behind the attacks, when it was more likely Russia.
“While attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of incident response on a victim network – the weight of evidence demonstrates that Turla had access to Iranian tools and the ability to identify and exploit them to further Turla’s own aims,” the NSA and NCSC advisory reads.
Paul Chichester, the NCSC’s director of operations, commented, “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.”
The American and British intelligence agencies believe Turla hijacked not only command and control (C&C) infrastructure from Iranian hackers, but also operational infrastructure.
The fact that Turla leveraged C&C infrastructure set up by an Iran-linked threat actor known as OilRig and APT34 was mentioned a few months ago by cybersecurity firm Symantec, which noted that it was likely a hostile takeover.
The NSA and NCSC believe that Turla used its own malware to compromise operational infrastructure used by an Iranian advanced persistent threat (APT) group. This allowed the Russian cyberspies to obtain a lot of useful information, including lists of victims and credentials that provided access to their systems, and malware source code. By obtaining the source code for tools such as Neuron and Nautilus, Turla could modify the malware to communicate with its own C&C servers.