False Flag: Russian Hackers Hijack An Iranian Group

Russian hackers used Iranian cyber tools and digital infrastructure to launch attacks on government and industry groups in dozens of countries. An Iranian hacking group was hacked by another Russian hacking group so they could spy on multiple countries, UK and US intelligence agencies, without it being obvious who was scrutinizing. 

The Iranian group, codenamed OilRig, had its operations compromised by a Russian-based group known as Turla.The Russians piggybacked on the Iranian group to target other victims.

A British National Cyber Security Centre (NCSC) investigation, begun in 2017 into an attack on a UK academic institution, uncovered the double-dealing.

Crowded Space
The NCSC discovered that the attack on the institution had been carried out by the Russian Turla group, which it realised was scanning for capabilities and tools used by Iran-based OilRig. In an investigation that lasted months, it became clear the Russian group had targeted the Iranian-based group and then used its tools and access to collect data and compromise further systems. 

Attacks were discovered against more than 35 countries with the majority of the victims being in the Middle East. At least 20 were successfully compromised. The ambition was to steal secrets, and documents were taken from a number of targets, including governments. 

Intelligence agencies said Turla was both getting hold of information the Iranians were stealing but also running their own operations using Iranian access and then hoping it would hide their tracks.
Victims might have assumed they had been compromised by the Iranian-based group when in fact the real culprit was based in Russia. 

There is no evidence that Iran was complicit or aware of the Russians' use of their access or that the activity was done to foment trouble between countries but is a sign of the increasingly complex world of cyber-operations. 
The NCSC would also not directly attribute the attacks to the Russian and Iranian states but Turla has previously been linked by others to Russia's Security Service, the FSB, and OilRig to the Iranian state. 

'We can Identify them'
The investigation was primarily a UK one but the details are being revealed jointly by the NCSC and America's NSA. 
A report of Turla compromising another espionage group was made by the private security company Symantec in June. 
The Turla group, which is widely believed to be Russian in origin, used two Iranian hacking tools, Nautilus and Neuron, to target military, government, academic and scientific organizations in at least 35 different countries
Authorities said the Nautilus and Neuron tools had “very likely” originated in Iran, but Turla had acquired both tools by early 2018. 

The group initially used the malware in combination with one of its own toolkits, called Snake, but eventually began targeting victims with the tools directly. 

In some cases, authorities found that Turla-affiliated hackers tried to access the network using implants that had previously been exploited and subsequently destroyed, by Iranian advanced persistent threat groups. 

NCSC.gov:           BBC:           DefenseOne

You Might Also Read:

Russian Hacker False Flags Work - Even After They're Exposed:

 

« Protect Your Organisation From Employee Data Theft
UK Workforce Lacks Basic Cyber Training »

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 5,000+ specialist service providers.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Securious

Securious

Securious has been implementing trusted network security and data protection solutions since 2007.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

Datashield

Datashield

Datashield is a leading provider of Managed Security Services (MSS), and Managed Detection and Response (MDR), to middle market and enterprise customers.

Sabasai

Sabasai

Sabasai specialises in all aspects of insider threat management from training and education to building security frameworks and insider threat programs to on-site risk & vulnerability assessments.

Cortado Mobile Solutions

Cortado Mobile Solutions

Cortado Mobile Solutions creates enterprise mobility and file sharing solutions for companies, teams and freelancers.

CyberDegrees.org

CyberDegrees.org

CyberDegrees.org aims to provide top-notch information for students seeking Cyber Security education and career guidance.

Celerium

Celerium

Celerium transforms cyber defense for both companies and industry sectors by leveraging cyber threat intelligence to defend against cyber threats and attacks.

Cybersecurity Manufacturing Innovation Institute (CyManII)

Cybersecurity Manufacturing Innovation Institute (CyManII)

CyManII was established to create economically viable, pervasive, and inconspicuous cybersecurity in American manufacturing to secure the digital supply chain and energy automation.