Alleged state hackers adapting to cover their tracks, says NCSC

A hacking group known as Turla, which has suspected links to Russia’s Federal Security Service, has been outed as the suspected source of cyber attacks in multiple countries in the past few years, the majority of them in the Middle East, demonstrating the need to recognise that cyber attackers will continue to adapt and evolve to avoid detection.

Following a two-year investigation, the UK’s National Cyber Security Centre (NCSC) and the US’s National Security Agency (NSA) has published evidence claiming that the group went after its victims exploiting techniques used by suspected Iran-based hacking groups.

Turla attacked its victims using implants stolen from an advanced persistent threat (APT) actor codenamed OilRig, which is suspected of links to the Iranian government. This means that its attacks appeared to be Iranian in origin, when this was not the case, said the NCSC, which added it had seen no evidence of collusion between the two groups.

In some cases, the investigators found these implants had already been deployed by an OilRig-associated IP address that was then accessed from infrastructure associated with Turla – which would suggest that some victims had already been compromised by the Iranians. Victims, including some in the UK, were chiefly military organisations, government departments, and academic and research institutions.

“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign,” said NCSC operations director Paul Chichester.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them. Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”

David Higgins, EMEA technical director at CyberArk, said the NCSC and NSA had highlighted the need for businesses to understand that attackers will use any means to remain undetected, and that this showed the need for CISOs to change their thinking and avoid falling victim to complacency.

“It’s complacent to assume that attackers will not try new methods to remain undetected and effective. Attackers constantly review and assess the way we protect ourselves, as well as how we respond to threats,” said Higgins.

“By understanding how organisations perform post-breach remediation, they have attempted mis-direction to protect themselves while having the finger pointed at another nation state, which has added political implications.

“The situation reinforces the need to think like attackers. Our defensive techniques must continually evolve to ensure that essential security controls are in place and constantly tested.”

Richard Bejtlich, principal security strategist at Corelight, added: “Russia’s use of Iranian infrastructure shows that organisations performing threat actor attribution cannot rely on a single source of information, such as an IP address, to determine adversary identities.

“While some have been quick to label this news as a case of failed attribution, I see the opposite. Three private sector companies – Symantec, ESET, and Kaspersky – all discussed this problem prior to the NCSC report. I see this as proof that cyber threat intelligence teams can penetrate false flag operations and that they can be supported by national intelligence agencies.”

John Hultquist, intelligence analysis director at FireEye, another security firm that has previously posited links between OilRig – also known as APT34 – and Tehran, said: “FireEye has not independently confirmed GCHQ's report on Russia-nexus Turla Team and its use of Iran-nexus APT34 tools and infrastructure.

“The activity described is consistent with Turla’s past activity – highly covert operations with significant consideration for operational security. The incidents are also reflective of Turla’s great technical skill, as this actor is among the most capable actors FireEye tracks.

“Collection efforts which leverage other infrastructure and the capability of peers, such as this, offer a low-cost, high-reward way to conduct operations while potentially confusing attribution.”