[ Pour la version française, veuillez cliquez ici ]
“We have never seen this done to the level of sophistication that we are seeing here. It’s unique in the complexity and scale and sophistication. This is becoming a very crowded space and we do see people innovate quite rapidly in that domain.”
21 October 2019 (Paris, France) – A Russian cyber espionage unit has hacked Iranian hackers to lead attacks in more than 35 countries, a joint UK and US investigation has revealed.
The so-called Turla group, which has been linked with Russian intelligence, allegedly hijacked the tools of Oilrig, a group widely linked to the Iranian government, according to a two-year probe by the UK’s National Cyber Security Centre in collaboration with the US’ National Security Agency. The NCSC is part of GCHQ, the digital intelligence agency.
The Iranian group is most likely unaware that its hacking methods have been hacked and deployed by another cyber espionage team, security officials involved in the investigation said. Victims include military establishments, government departments, scientific organisations and universities across the world, mainly in the Middle East.
Paul Chichester, NCSC director of operations, said Turla’s activity represented “a real change in the modus operandi of cyber actors” which he said “added to the sense of confusion” over which state-backed cyber groups had been responsible for successful attacks:
The reason we are publicising this is because of the different tradecraft we are seeing Turla use. We want others to be able to understand this activity.
Chichester described how Turla began “piggybacking” on Oilrig’s attacks by monitoring an Iranian hack closely enough to use the same backdoor route into an organisation or to gain access to the resulting intelligence. Turla is also known as Waterbug or Venomous Bear.
But the Russian group then progressed to initiating their own attacks using Oilrig’s command-and-control infrastructure and software. Organisations in approximately 20 countries were successfully hacked in this way:
Turla could benefit from the operations of Oilrig. They could collect some of their operational output. It allowed them to gain more rapid access to victims than they would otherwise have one. It made life much easier. This is an opportunistic operation which has given Turla a wealth of information and access they wouldn’t otherwise have had.
Russia’s government has consistently denied it is behind hacking attempts on other states. President Vladimir Putin, in an interview with the FT earlier this year, described allegations that Moscow had orchestrated attempts to influence the 2016 US elections as “mythical”.
Cyber espionage groups are increasingly concealing their identities under so called “false flag” operations — in which they try to mimic the activities of another group. Last year US intelligence agencies were reported to have uncovered the fact that Russian hackers had attempted to disrupt the Winter Olympics in Pyeongchang, South Korea, using lines of code associated with Lazarus Group, attributed to North Korea.
But NCSC says Turla’s operations go far further than imitation, and that Oilrig itself — also known by the names Crambus and APT34 — was hacked. Chichester said:
We have never seen this done to the level of sophistication that we are seeing here. It’s unique in the complexity and scale and sophistication. It’s actually really hard masquerading as another entity. This is becoming a very crowded space and we do see people innovate quite rapidly in that domain.