False Flag: Russian Hackers Hijack An Iranian Group

Uploaded on 2019-10-28 in INTELLIGENCE-Hot Spots-Russia, INTELLIGENCE-Hot Spots-Iran, INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

Russian hackers used Iranian cyber tools and digital infrastructure to launch attacks on government and industry groups in dozens of countries. An Iranian hacking group was hacked by another Russian hacking group so they could spy on multiple countries, UK and US intelligence agencies, without it being obvious who was scrutinizing. 

The Iranian group, codenamed OilRig, had its operations compromised by a Russian-based group known as Turla.The Russians piggybacked on the Iranian group to target other victims.

A British National Cyber Security Centre (NCSC) investigation, begun in 2017 into an attack on a UK academic institution, uncovered the double-dealing.

Crowded Space
The NCSC discovered that the attack on the institution had been carried out by the Russian Turla group, which it realised was scanning for capabilities and tools used by Iran-based OilRig. In an investigation that lasted months, it became clear the Russian group had targeted the Iranian-based group and then used its tools and access to collect data and compromise further systems. 

Attacks were discovered against more than 35 countries with the majority of the victims being in the Middle East. At least 20 were successfully compromised. The ambition was to steal secrets, and documents were taken from a number of targets, including governments. 

Intelligence agencies said Turla was both getting hold of information the Iranians were stealing but also running their own operations using Iranian access and then hoping it would hide their tracks.
Victims might have assumed they had been compromised by the Iranian-based group when in fact the real culprit was based in Russia. 

There is no evidence that Iran was complicit or aware of the Russians' use of their access or that the activity was done to foment trouble between countries but is a sign of the increasingly complex world of cyber-operations. 
The NCSC would also not directly attribute the attacks to the Russian and Iranian states but Turla has previously been linked by others to Russia's Security Service, the FSB, and OilRig to the Iranian state. 

'We can Identify them'
The investigation was primarily a UK one but the details are being revealed jointly by the NCSC and America's NSA. 
A report of Turla compromising another espionage group was made by the private security company Symantec in June. 
The Turla group, which is widely believed to be Russian in origin, used two Iranian hacking tools, Nautilus and Neuron, to target military, government, academic and scientific organizations in at least 35 different countries
Authorities said the Nautilus and Neuron tools had “very likely” originated in Iran, but Turla had acquired both tools by early 2018. 

The group initially used the malware in combination with one of its own toolkits, called Snake, but eventually began targeting victims with the tools directly. 

In some cases, authorities found that Turla-affiliated hackers tried to access the network using implants that had previously been exploited and subsequently destroyed, by Iranian advanced persistent threat groups. 

NCSC.gov:           BBC:           DefenseOne

You Might Also Read:

Russian Hacker False Flags Work - Even After They're Exposed:

 

« Protect Your Organisation From Employee Data Theft
UK Workforce Lacks Basic Cyber Training »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ITQ

ITQ

ITQ is an IT consulting firm with a focus on the entire VMware-product portfolio with three main services: Professional Services, Support Services and Managed Services.

Celestix Networks

Celestix Networks

Celestix is a global provider of secure network solutions that enable the simple deployment of secure remote access connectivity.

ForgeRock

ForgeRock

ForgeRock, the leader in digital identity, delivers comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world.

International Conference on Information Systems Security & Privacy (ICISSP)

International Conference on Information Systems Security & Privacy (ICISSP)

The ICISSP event is a meeting point for researchers and practitioners to address security and privacy challenges concerning information systems.

CyberVista

CyberVista

CyberVista is a cybersecurity training education and workforce development company. Our mission is to eliminate the skills gap by creating job ready professionals.

The Media Trust

The Media Trust

The Media Trust continuously scans websites, ad tags and mobile apps and alerts on anomalies affecting websites and visitors.

ANIS

ANIS

ANIS represents the interests of Romanian IT companies and supports the development of the software and services industry.

Innovasec

Innovasec

Innovasec provide information security consulting and training services.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

Inceptus

Inceptus

Inceptus is a next generation Managed Security Service Provider (MSSP). We are dedicated to keeping our customers safe, secure and protected while doing business on the Internet.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

Spamhaus

Spamhaus

Spamhaus is the world leader in supplying realtime highly accurate threat intelligence to the Internet's major networks.

Tangible Security

Tangible Security

Tangible employs the most sophisticated cyber security tools and techniques available to protect our clients’ sensitive data, infrastructure and competitive advantage.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

Bell Canada

Bell Canada

Bell is the leading provider of network and communications services for Canadian businesses and the partner for delivering network, IoT, cloud, voice, collaboration and security solutions.

Nyx Technology

Nyx Technology

Nyx Technology is your dedicated partner in navigating the intricate world of cyber security, providing you with cutting-edge threat intelligence to safeguard your digital assets.