Last week the US and the UK made a statement together that Russian hackers and bad actors targeted 35 countries with cyber attacks around the world while disguised as Iranian spies. The Russian group who carried this out, Turla, is also known by the names Snake, Uroburos, Waterbug and Venomous Bear. They stole intelligence and documents from their victims, including government agencies. The US National Security Agency (NSA) and the UK Cyber Security Centre (NCSC) announced the discovery.

The Turla Russian hackers got a hold of Iranian tools and cloaked under their infrastructure, they managed to hide their identity in broad daylight, at least for a while. Of the 35 countries they attacked, they focused heavily on the Middle East. Victims there included the military, government, scientific orgs and universities.

“Neuron” and “Nautilus” implants helped identify the fake identity

The Russian Turla hackers used “Neuron” and “Nautilus” implants, used previously by Iranian hackers. They snagged them by compromising Iranian hackers.

It’s often not easy to identify who’s behind attacks. But Paul Chichester, NCSC’s director of operations, stated there was evidence pointing to the Turla group, known for going after many different kinds of organizations.

NCSC’s director gave the hackers a warning that “even when cyber actors seek to mask their identity,” intelligence agencies can identify them. They revealed that one such clue was the implants like Neuron or Nautilus. When first deployed, they were associated with an IP address of an Iranian group, which was later accessed by Turla. This demonstrates various bad actors were taking control of others who in turn were themselves compromised by hackers. Neuron or Nautilus were already known publicly, with two advisories released by NCSC in 2017 and 2018.

“Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus.’ In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups themselves,” the research center pointed out.

“After acquiring the tools — and the data needed to use them operationally — Turla first tested them against victims they had already compromised […] and then deployed the Iranian tools directly to additional victims,” according to the report. “Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold.”

Some Nation States Are More Sophisticated Than Others

Some nation states have extremely sophisticated cyber skills and they use them to attack and spy on other nations. In some ways, this helps the rest of us identify their activities. When they carry out a complex attack, even if they make it look like another country is the perpetrator, sometimes the attack is too complicated for that country to even be able to execute, which raises suspicions.

Russia follows a doctrine, “maskirovka,” which supports deception or “masking.” They use this approach to run interference, even overseas, and then attempt to claim innocence. Those who’ve been watching have seen it before.

Countries like Iran and China have been accused of cyber attacks in the past that some thought perhaps they were not fully capable of carrying. Even North Korea could fit into this group at times. They were deemed guilty (and proven so) for WannaCry. But for other attacks, their knowledge may be too limited given the country’s Internet access is severely restricted. Given Russia’s propensity for making others look guilty, maybe Russia is responsible for more attacks than everyone thinks.

 

Further resources:

DHS about electrical grid attacks by Russian agents 

Could Russia shut down US electric grids

Russian hackers breach US utility networks via trusted vendors

 

It’s official: North Korea is behind Wannacry

US Treasury Department Levies Sanctions Against North Korean Group Behind 2017 WannaCry

 

Sources:

https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims

https://www.ncsc.gov.uk/news/turla-group-malware