A joint investigation conducted by NCSC and the NSA has revealed how a Russian hacker group known as Turla hacked an Iranian hacker group known as OilRig and then used the latter’s tools and infrastructure to carry out cyber attacks on dozens of other countries.
OilRig is a prolific Iranian hacker group that uses a combination of phishing techniques and various kinds of malware to target government departments and corporations in targeted countries, mostly in the West.
The hacker group gained international attention in October 2017 when Forbes revealed how the group used a fake Facebook profile of an attractive woman to lure a Deloitte employee into downloading an attachment in his personal computer.
The attachment contained a malware named PupyRat which could steal credentials from corporate accounts. However, the malware was unable to infiltrate Deloitte’s corporate network from the victim’s computer, thereby saving the company from much embarrassment.
Going by a fresh report from the National Cyber Security Centre and a similar one from the United States’ NSA, many of the cyber attacks believed to have been conducted by OilRig may not have been initiated by the group in the first place.
Turla stole hacking tools Neuron and Nautilus from OilRig
According to NCSC, a Russian hacker group known as Turla recently hacked OilRig and used the latter’s tools and infrastructure to carry out cyber attacks on more than 35 countries, with a majority of victims based in the Middle East.
A detailed investigation conducted by the two agencies found that Turla used various tools and implants in their activities that were derived from OilRig’s previous campaigns, ‘Neuron’ and ‘Nautilus’. Neuron and Nautilus are malicious tools employed by hacker groups to target mail servers and web servers on Microsoft Windows platforms.
According to NCSC, Turla used both malicious tools in conjunction with the Snake rootkit to target government, military, technology, energy, and commercial organisations both in the UK and the United States.
“Snake provides a platform to steal sensitive data, acts as a gateway for internal network operations and is used to conduct onward attacks against other organisations. They infect multiple systems within target networks and deploy a diverse range of tools to ensure that they retain a foothold in a victim’s system even after the initial infection vector has been mitigated,” the cyber security watchdog noted.
It added that not only did Turla use OilRig’s tools to target organisations, they also “sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold”.
“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign. We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them. Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” said Paul Chichester, the NCSC’s Director of Operations.
“Russia’s use of Iranian infrastructure shows that organisations performing threat actor attribution cannot rely on a single source of information, such as an IP address, to determine adversary identities. While some have been quick to label this news as a case of failed attribution, I see the opposite,” says Richard Bejtlich, principal security strategist at Corelight.
“Three private sector companies – Symantec, ESET, and Kaspersky – all discussed this problem prior to the NCSC report. I see this as proof that cyber threat intelligence teams can penetrate false flag operations and that they can be supported by national intelligence agencies,” he adds.
Turla stole PII of hundreds of German non-right politicians in 2018
One of the most infamous instances of Turla’s hacking operations targeting European organisations was the hacking of personal information of hundreds of German politicians and public figures in 2018.
According to German news media, a massive data leak took place last year that resulted in unknown individuals posting the personal information of hundreds of German politicians as well as public figures including Chancellor Angela Merkel on Twitter. The said information included personal phone numbers, identity cards, letters sent and received by politicians and celebrities, and credit card numbers.
The massive data leak compromised the privacy of politicians associated with almost all major political parties except for politicians affiliated with Alternative for Germany (AfD), a surging right-wing party with strong views on immigration.
After the news became public, the Ministry of Interior said in a statement that hackers had gained access to such data through “wrongful use of log-in information for cloud services, email accounts or social networks” and that computer systems of neither the government nor the lower house of parliament had been breached.
A local newspaper report also revealed that the massive information leak affected 410 members of the ruling Christian Democratic Union of Germany, 230 members of the Social Democratic Party, 106 members of the Green Party, and 91 members of The Left Die Linke.
“While actor attribution is notoriously difficult, early indications suggest that the Russian APT group Turla (a.k.a. Snake, Venomous Bear, Waterbug, and Uroboros) is behind the German data breaches reported earlier today,” said Chris Dawson, Threat Intelligence Lead at Proofpoint.
“Proofpoint researchers have seen Turla targeting German interests before, particularly leveraging a G20 summit on the Digital Economy that took place in Hamburg in October 2017; other activity associated with this group has been well-documented and stretch back to at least 2008,” he added.