Sikov - stock.adobe.com
Russian government-linked advanced persistent threat (APT) group Turla, which was revealed last year to have hijacked Iranian computer network operations resources to conduct its attacks and obfuscate its activity, was likely to have been operating opportunistically and not collaborating with the Iranians, according to new research published by Record Future’s Insikt unit.
In October 2019, the UK’s National Cyber Security Centre (NCSC) and the US’s National Security Agency (NSA) closed out a two-year investigation and published conclusive evidence that Turla was attacking its victims using implants that had been stolen from the APT34 or OilRig APT group, which is linked to the Iranian government.
To date, the group’s victims have included military organisations, government departments, academic and research institutions, publishing and media companies, and targets often have specific interests in scientific and energy research, and diplomatic affairs. Many of them have been located in European and other NATO states, and former Soviet republics.
The group has become known for its use of watering-hole attacks – often using compromised WordPress sites – and spear-phishing campaigns, but it has also used a number of more inventive techniques, including the use of satellites to exfiltrate data from remote areas. It is also known to rely on open source software tools, but also specialises in developing its own malware strains. In 2019, it pivoted to heavy reliance on PowerShell exploits in its attacks.
Further research carried out by Insikt into Turla – which also goes by the names Snake, Waterbug and Venomous Bear – revealed that its hijacking of APT34’s resources has been unique among known threat actors to date, amounting effectively to a complete takeover of one nation state group’s assets by another.
Insikt said that although it was possible that this was due to some measure of collaboration, the available evidence did not support that conclusion.
“For example, while Turla had significant insight into APT34 tools and operations, they were required to scan for Iranian web shells in order to find where these tools were deployed,” wrote the report’s authors. “We assess that Turla’s interposition into Iranian operations was likely an uncoordinated and thus hostile act.
“While Insikt Group assesses that Turla Group’s use of APT34 infrastructure was primarily opportunistic in nature, an added benefit for the operators was likely the deception of incident responders, who would potentially identify the tools as Iranian in origin.”
Turla does have form in this regard, having reused Chinese state-attributed malware strain Quarian in attacks in 2012. Previous assessments by other threat researchers had suggested Turla downloaded, then uninstalled Quarian in order to divert and deceive victims’ security teams and investigators.
Read more about nation-state cyber attacks
- Any company can be a nation-state cyber attack victim. Brush up on the latest and most common nation-state techniques and their implications on the threat landscape of tomorrow.
- F-Secure’s Mikko Hypponen discusses cyber weapons and nation-state threats, and explains why arms limitations treaties might one day expand to include malware and other threats.
- Foreign secretary Dominic Raab describes 2019 campaign of cyber attacks on Georgia as reckless, brazen and unacceptable.
Although, like many other nation-state APT groups, Turla has increased its reliance on open source and commodity tools, the fact that it continues to develop its own advanced malware strains – Reductor RAT, first identified in the autumn of 2019, is suspected of being one of its projects – makes it a more potent threat in some ways.
Insikt said it was indubitably a well-funded group, committed to improving its tools and practices, and certainly connected to a nation state with advanced cyber security capabilities.
“Although we expect its targeting and practices to shift over time, Insikt Group assesses that Turla will remain an active, advanced threat for years to come that will continue to surprise with unique operational concepts,” said the researchers.
However, one piece of good news for security teams may be that because Turla is largely consistent in its attack patterns and uses stable and periodically updated versions of unique malware in lengthy campaigns, it is easier to track and identify proactively.
The Insikt Group’s full investigation into Turla can be read on and downloaded from its website.