The intelligence agency officials of the US and the UK recently revealed that Russia-based hackers have used Iranian cyber tools and digital infrastructure to carry out attacks targeting government and industry groups in dozens of other countries to advance their own agenda.
The national security officials said on Monday, October 21 that a hacking group called "Turla," which is widely believed to be a Russian cyber-espionage group, has used two Iranian hacking tools -- Nautilus and Neuron -- to target governments, military, academic and scientific organizations in at least 35 countries.
As per a joint statement, released by the US National Security Agency (NSA) and the UK's National Cyber Security Centre, "The focus of this activity from Turla was largely in the Middle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap."
It also revealed that "the timeline of incidents and the behaviour of Turla is actively scanning for Iranian backdoors, indicates that while Neuron and Nautilus tools were Iranian in origin," the Russian hacking group were using these digital tools and accesses independently to further their own intelligence requirements. In this case, the cybercriminals had acquired these tools by early 2018.
The officials mentioned that the hackers used the malware in combination with one of its own toolkits, known as "Snake," but eventually they started to target the victims with Neuron and Nautilus directly. The Russian hacking group worked to gain further access to their targets by scouring the networks for backdoors that had been inserted by Iran based hackers.
"Investigation into these victims identified that while some implants had been deployed and administered from infrastructure associated with the Turla group, others had previously been connected to by Virtual Private Server (VPS) IP addresses associated in the Cybersecurity community with Iranian APT groups," mentioned the advisory.
During the investigation, the officials also found that Turla breached into the command-and-control infrastructure of an Iranian APT group, called OilRig or Crambus to use the platform as a launch-pad to carry out cyber-attacks. The Russian group also stole data from an Iranian hacking organization, which helped Trula co-opt its previous work.
As per the authorities, this cyber breach incident gave Russian cybercriminals "unprecedented insight into the tactics, techniques and procedures of the Iranian APT," including the list of active victims and credentials for accessing their infrastructure, as well as code needed to create new versions of hacking tools.
David Higgins, the Technical Director at CyberArk told IBTimes Singapore, "The big takeaway from this is the need to understand that attackers continually adapt to remain undetected and therefore retain their ability to threaten. This should change thinking from the cyber-defence point of view – complacency must not be allowed to set in. We must think like attackers to remain effective against attackers that constantly evolve their techniques."
"It's complacent to assume that attackers will not try new methods to remain undetected and effective. Attackers constantly review and assess the way we protect ourselves, as well as how we respond to threats. By understanding how organisations perform post-breach remediation, they have attempted misdirection to protect themselves whilst having the finger pointed at another nation-state, which has added political implications. The situation reinforces the need to think like attackers. Our defensive techniques must continually evolve to ensure that essential security controls are in place and constantly tested."
It should be mentioned that the Russia-linked cyber-criminal group also known as "Venomous Bear," "Waterbug" and "Uroboros," developed tools capable of executing PowerShell commands by leveraging Empire PSInject in April 2018. They also misused Adobe to trick users into downloading malware by making them believe that they were downloading legitimate software from adobe.com.