Getty Images

Alleged state hackers adapting to cover their tracks, says NCSC

A group called Turla with suspected links to the Russian government stole Iranian tools and infrastructure to obscure the origins of attacks on multiple other countries, according to new evidence

A hacking group known as Turla, which has suspected links to Russia’s Federal Security Service, has been outed as the suspected source of cyber attacks in multiple countries in the past few years, the majority of them in the Middle East, demonstrating the need to recognise that cyber attackers will continue to adapt and evolve to avoid detection.

Following a two-year investigation, the UK’s National Cyber Security Centre (NCSC) and the US’s National Security Agency (NSA) has published evidence claiming that the group went after its victims exploiting techniques used by suspected Iran-based hacking groups.

Turla attacked its victims using implants stolen from an advanced persistent threat (APT) actor codenamed OilRig, which is suspected of links to the Iranian government. This means that its attacks appeared to be Iranian in origin, when this was not the case, said the NCSC, which added it had seen no evidence of collusion between the two groups.

In some cases, the investigators found these implants had already been deployed by an OilRig-associated IP address that was then accessed from infrastructure associated with Turla – which would suggest that some victims had already been compromised by the Iranians. Victims, including some in the UK, were chiefly military organisations, government departments, and academic and research institutions.

“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign,” said NCSC operations director Paul Chichester.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them. Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”

David Higgins, EMEA technical director at CyberArk, said the NCSC and NSA had highlighted the need for businesses to understand that attackers will use any means to remain undetected, and that this showed the need for CISOs to change their thinking and avoid falling victim to complacency.

“It’s complacent to assume that attackers will not try new methods to remain undetected and effective. Attackers constantly review and assess the way we protect ourselves, as well as how we respond to threats,” said Higgins.

“By understanding how organisations perform post-breach remediation, they have attempted mis-direction to protect themselves while having the finger pointed at another nation state, which has added political implications.

“The situation reinforces the need to think like attackers. Our defensive techniques must continually evolve to ensure that essential security controls are in place and constantly tested.”

Richard Bejtlich, principal security strategist at Corelight, added: “Russia’s use of Iranian infrastructure shows that organisations performing threat actor attribution cannot rely on a single source of information, such as an IP address, to determine adversary identities.

“While some have been quick to label this news as a case of failed attribution, I see the opposite. Three private sector companies – Symantec, ESET, and Kaspersky – all discussed this problem prior to the NCSC report. I see this as proof that cyber threat intelligence teams can penetrate false flag operations and that they can be supported by national intelligence agencies.”

John Hultquist, intelligence analysis director at FireEye, another security firm that has previously posited links between OilRig – also known as APT34 – and Tehran, said: “FireEye has not independently confirmed GCHQ's report on Russia-nexus Turla Team and its use of Iran-nexus APT34 tools and infrastructure.

“The activity described is consistent with Turla’s past activity – highly covert operations with significant consideration for operational security. The incidents are also reflective of Turla’s great technical skill, as this actor is among the most capable actors FireEye tracks.

“Collection efforts which leverage other infrastructure and the capability of peers, such as this, offer a low-cost, high-reward way to conduct operations while potentially confusing attribution.”

Read more about state-backed cyber attacks

  • CrowdStrike has published details of a coordinated campaign of cyber espionage and hacking, forced technology transfer and physical theft as China seeks to gain an advantage in the commercial aviation industry.
  • A renowned ethical hacker in Malaysia has called for more nations to support the Paris Call for Trust and Security in Cyberspace to counter the threat of cyber warfare.
  • Security researchers have identified a China-based cyber threat group engaged in state-spored espionage in parallel with cyber criminal activities targeting multiple industries worldwide.

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Do Facebook actually have control of there internal networks? Becoming more and more plausible are the minority claiming their are either subject to an apt infiltration in backend systems or they have an insidet threat not yet recognised by facebook management Still dangers lurking in instagram & whats app & a new kid on the block ios shortcuts Facebook is again resposible for hiding a vast malicious botnet collecting a small fortune in click/ad fraud. A bad Actor #APT utilising the faceboom dev platform & some of its popular Open source framewoks react js & open graph api. Yet more 3rd Party abuse of data for facebook users globally From Hybrid-A scan of chessmicrobase dot com /m/1koly51q + assets.chessmicrobase and insecure versions of ogp.me (/ns#)to which is part of a vast malvertising campaign starting point from bt home hubs, blocking and opt out of network cookies. bad actor replacement embedded cookies inject via helper & aged insecure help pages on hub settings access, invoke a multitude of click/ad fraud dns spoofing and multiple phishing campaigns on .gov.uk websites. Possible offline fraud via HMRC and USA border control, human trafficking Remote Access Related * Contains indicators of bot communication commands 
details
"GET /assets/favicon.png HTTP/1.1 * Accept: */* * Accept-Encoding: gzip, deflate * User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko * Host: chessmicrobase.com * DNT: 1 * Connection: Keep-Alive * Cookie: __cfduid=d23189e1675c1e89c6225ba3db616b5ea1571856069; chessmicrobase_session=54d728e5ae1df00cde56afc5917608bb; __utma=249848660.429181473.1571856075.1571856075.1571856075.1; __utmb=249848660.1.10.1571856075; __utmc=249848660; __utmz=249848660.1571856075.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1" (Indicator: "cmd=") * "GET /favicon.ico HTTP/1.1 * Accept: */* * Accept-Encoding: gzip, deflate * User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko * Host: chessmicrobase.com * DNT: 1 * Connection: Keep-Alive * Cookie: __cfduid=d23189e1675c1e89c6225ba3db616b5ea1571856069; chessmicrobase_session=54d728e5ae1df00cde56afc5917608bb; __utma=249848660.429181473.1571856075.1571856075.1571856075.1; __utmb=249848660.1.10.1571856075; __utmc=249848660; __utmz=249848660.1571856075.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1" (Indicator: "cmd=")
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close