Russian hackers hijacked Iranian cyber-attack infrastructure to launch attacks on the UK

Turla, linked to Russia's FSB security agency, hacked Iranian tools and infrastructure to mask its attacks on the UK, US and Middle East

The Russia-linked Turla APT acquired tools belonging to Iranian government threat groups and hijacked their infrastructure in a bid to disguise cyber attacks on the UK, US and countries throughout the Middle East.

The claim was made today in advisories released jointly by UK and US intelligence. "Turla used implants derived from the suspected Iran-based hacking groups' previous campaigns, ‘Neuron' and ‘Nautilus'. In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups," claimed the UK National Cyber Security Centre (NCSC).

Turla used implants derived from the suspected Iran-based hacking groups' previous campaigns, ‘Neuron' and ‘Nautilus'

"Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign… Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims," added NCSC director of operations Paul Chichester.

However, the hackers behind Turla - also known as Venemous Bear, Group 88 and Snake - in some instances accessed compromised systems from infrastructure associated with them, rather than via the Iranian infrastructure they had taken over, pointing the finger of blame at Russia-linked hacking groups rather than Iranian-linked groups.

Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims

In particular, Turla used the attack tools given the name Neuron and Nautilus, associated with Iranian APTs. "Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants," claimed the NCSC in its assessment.

It continued: "After acquiring the tools - and the data needed to use them operationally - Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims.

"Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold."

In order to initiate connections with the implants, Turla must have had access to relevant cryptographic key material

The assessment adds that, while the Neuron and Nautilus tools, and activity associated with them, had previously been linked with Iranian groups, "Turla were using these tools and accesses independently to further their own intelligence requirements [but] the behaviour of Turla in scanning for backdoor shells indicates that whilst they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed".

It added: "In some instances, it appeared an Iranian APT-associated IP address first deployed the implant, and later, Turla-associated infrastructure accessed the same implant.

"In order to initiate connections with the implants, Turla must have had access to relevant cryptographic key material, and likely had access to controller software in order to produce legitimate tasking.

"In other instances, Turla deployed Neuron to victims in which they already had access to via their Snake toolkit, with all observed connections from Turla-associated infrastructure."

Once identified, Turla appeared to use these ASPX shells to gain an initial foothold into victims of interest

Turla also utilised Snake victim networks to scan for Microsoft Active Server Pages extended file (ASPX) webshells on IP addresses across 35 countries.

"Commands were passed to the ASPX shell in encrypted HTTP Cookie values, requiring knowledge of the cryptographic keys to produce valid tasking and successfully interact with it.

"From one Snake victim, a log file was recovered which recorded the output of Turla's scanning for these ASPX shells with the strings "!!!MAY BE SHELL!!! (check version)" and "!!!MAY BE SHELL!!! (100%)"; over 3500 unique IP addresses were scanned.

"Once identified, Turla appeared to use these ASPX shells to gain an initial foothold into victims of interest, and then deploy further tools."

The hijack of the Iranian APT group's infrastructure went all the way up to the command and control infrastructure, according to the NCSC assessment, with security firm Symantec even observing Turla Group delivering their own malware via the Iranian infrastructure.

Data exfiltration from the Iranian infrastructure by Turla included directory listings and files, along with keylogger output containing operational activity from the Iranian actors, including connections to Iranian C2 domains.

"This access gave Turla unprecedented insight into the tactics, techniques and procedures (TTPs) of the Iranian APT, including lists of active victims and credentials for accessing their infrastructure, along with the code needed to build versions of tools such as Neuron for use entirely independently of Iranian C2 [command and control] infrastructure."