Connect with us

Hi, what are you looking for?



US, UK: Russian Hackers Hijacked Iranian Malware, Infrastructure

The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers.

The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers.

The NCSC, which is part of the United Kingdom’s Government Communications Headquarters (GCHQ) intelligence agency, previously published two reports summarizing Turla’s use of malware tracked as Neuron and Nautilus.

In a new joint report, the NSA and NCSC say Neuron and Nautilus appear to be of Iranian origin and their authors are “almost certainly” not aware that their tools have been used by Turla. And even if they are aware, the Russian hackers likely hijacked the tools rather than collaborating with the Iranian hackers.

According to the intelligence agencies, Turla initially used the Iranian malware against targets whose systems they had already compromised using the group’s Snake toolkit.

Attacks have been spotted against entities in over 35 countries. A majority of the victims, including government organizations, were located in the Middle East, and researchers determined that the attackers managed to steal documents from their systems.

The use of Iranian malware by Turla might have led some of the victims to believe that Iran was behind the attacks, when it was more likely Russia.

“While attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of incident response on a victim network – the weight of evidence demonstrates that Turla had access to Iranian tools and the ability to identify and exploit them to further Turla’s own aims,” the NSA and NCSC advisory reads.

Advertisement. Scroll to continue reading.

Paul Chichester, the NCSC’s director of operations, commented, “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.”

The American and British intelligence agencies believe Turla hijacked not only command and control (C&C) infrastructure from Iranian hackers, but also operational infrastructure.

The fact that Turla leveraged C&C infrastructure set up by an Iran-linked threat actor known as OilRig and APT34 was mentioned a few months ago by cybersecurity firm Symantec, which noted that it was likely a hostile takeover.

The NSA and NCSC believe that Turla used its own malware to compromise operational infrastructure used by an Iranian advanced persistent threat (APT) group. This allowed the Russian cyberspies to obtain a lot of useful information, including lists of victims and credentials that provided access to their systems, and malware source code. By obtaining the source code for tools such as Neuron and Nautilus, Turla could modify the malware to communicate with its own C&C servers.

Related: Turla Linked to One of the Earliest Cyberespionage Operations

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...