Russian hackers stole a cache of Iranian cyber weapons in order to launch attacks in more than 35 countries without giving away their identity, security officials have revealed.
British analysts linked an intelligence gathering campaign targeting governments, military agencies, universities and research institutes to a Russian hacker group which is associated with the FSB.
The group is known by various names, including Turla, Waterbug and VENEMOUS BEAR, and has targeted organisations around the world but primarily in the Middle East, according to UK officials.
In an advisory notice issued on Monday (21 October), the National Cyber Security Centre (NCSC) said that Turla had re-purposed exploits, called Neuron and Nautilus, believed to have been created by “Iran-based hacking groups”. Turla acquired the tools by hacking into the groups’ systems.
NCSC also believes that Turla took control of some targets which had previously been compromised by the Iranian hackers. The advisory states: “Interestingly, in some instances, it appeared an Iranian APT-associated IP address first deployed the implant, and later, Turla-associated infrastructure accessed the same implant.
“In order to initiate connections with the implants, Turla must have had access to relevant cryptographic key material, and likely had access to controller software in order to produce legitimate tasking.”
The campaign was revealed jointly by NCSC and the US National Security Agency, but the analysis was conducted primarily by the former agency with support from the infosec community.
In a prepared statement, Paul Chichester, NCSC’s director of operations, said: “Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign.
“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them. Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”
APT34, one of the threat groups behind weapons reportedly used by Turla, has previously been linked to the Iranian government by researchers at FireEye.
The security vendor’s director of intelligence analysis, John Jultquist, said he had not been able to independently confirm NCSC’s report, but that the activity is “consistent with Turla’s past activity”. He added: “The incidents are also reflective of Turla’s great technical skill – this actor is among the most capable actors FireEye tracks.”