False Flag: Russian Hackers Hijack An Iranian Group

Russian hackers used Iranian cyber tools and digital infrastructure to launch attacks on government and industry groups in dozens of countries. An Iranian hacking group was hacked by another Russian hacking group so they could spy on multiple countries, UK and US intelligence agencies, without it being obvious who was scrutinizing. 

The Iranian group, codenamed OilRig, had its operations compromised by a Russian-based group known as Turla.The Russians piggybacked on the Iranian group to target other victims.

A British National Cyber Security Centre (NCSC) investigation, begun in 2017 into an attack on a UK academic institution, uncovered the double-dealing.

Crowded Space
The NCSC discovered that the attack on the institution had been carried out by the Russian Turla group, which it realised was scanning for capabilities and tools used by Iran-based OilRig. In an investigation that lasted months, it became clear the Russian group had targeted the Iranian-based group and then used its tools and access to collect data and compromise further systems. 

Attacks were discovered against more than 35 countries with the majority of the victims being in the Middle East. At least 20 were successfully compromised. The ambition was to steal secrets, and documents were taken from a number of targets, including governments. 

Intelligence agencies said Turla was both getting hold of information the Iranians were stealing but also running their own operations using Iranian access and then hoping it would hide their tracks.
Victims might have assumed they had been compromised by the Iranian-based group when in fact the real culprit was based in Russia. 

There is no evidence that Iran was complicit or aware of the Russians' use of their access or that the activity was done to foment trouble between countries but is a sign of the increasingly complex world of cyber-operations. 
The NCSC would also not directly attribute the attacks to the Russian and Iranian states but Turla has previously been linked by others to Russia's Security Service, the FSB, and OilRig to the Iranian state. 

'We can Identify them'
The investigation was primarily a UK one but the details are being revealed jointly by the NCSC and America's NSA. 
A report of Turla compromising another espionage group was made by the private security company Symantec in June. 
The Turla group, which is widely believed to be Russian in origin, used two Iranian hacking tools, Nautilus and Neuron, to target military, government, academic and scientific organizations in at least 35 different countries
Authorities said the Nautilus and Neuron tools had “very likely” originated in Iran, but Turla had acquired both tools by early 2018. 

The group initially used the malware in combination with one of its own toolkits, called Snake, but eventually began targeting victims with the tools directly. 

In some cases, authorities found that Turla-affiliated hackers tried to access the network using implants that had previously been exploited and subsequently destroyed, by Iranian advanced persistent threat groups. 

NCSC.gov:           BBC:           DefenseOne

You Might Also Read:

Russian Hacker False Flags Work - Even After They're Exposed:

 

« Protect Your Organisation From Employee Data Theft
UK Workforce Lacks Basic Cyber Training »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Happiest Minds Technologies

Happiest Minds Technologies

Happiest Minds offers domain centric solutions in IT Services, Product Engineering, Infrastructure Management and Security.

Norwegian Information Security laboratory (NISlab)

Norwegian Information Security laboratory (NISlab)

NISlab conducts international competitive research in information and cyber security and operates study programs in this area.

Serverless Computing

Serverless Computing

Serverless Computing London will help architects, developers and CIOs decide on the best path to a more efficient, scalable and secure computing future.

Codeproof Technologies

Codeproof Technologies

The Codeproof enterprise mobility solution empowers your business to secure, deploy and manage mobile applications and data on smartphones, tablets, IoT devices and more.

Tesorion

Tesorion

Tesorion is a fusion of different enterprises each with its own specialisation in the field of cybersecurity. We have combined these specialisations to create an integrated comprehensive solution.

IXDen

IXDen

IXDen provides a novel software-based approach to OT systems protection, covering Industrial IoT cybersecurity and sensor data integrity.

EuraTechnologies

EuraTechnologies

EuraTechnologies, the French incubator and accelerator, is a centre of excellence and innovation for startups and entrepreneurs with a focus on Digital, Data, Cybersecurity and IoT.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

7layers

7layers

7layers has established itself as one of the world’s leading test house groups for mobile devices and the growing number of wireless devices, modules and chipsets.

Cyber Security Works (CSW)

Cyber Security Works (CSW)

Cyber Security Works is your organization’s early cybersecurity warning system to help prevent attacks before they happen.

Cyber Legion

Cyber Legion

Cyber Legion Ltd is a UK-based Cyber Security as a Service (CSaaS) start-up that provides IT security testing services to various organizations around the globe.

SecurEyes

SecurEyes

SecurEyes is a leading cybersecurity firm that provides specialised services, including cybersecurity assessments, managed services, and governance risk and compliance services.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

CODA Intelligence

CODA Intelligence

CODA's AI-powered attack surface management platform helps you sort out the important remediations needed in order to avoid exploits on your systems.

Chorology

Chorology

Chorology is a leading provider of intelligently automated, data compliance and posture enforcement solutions.

WIIT Group

WIIT Group

WIIT Group are focused on a single goal: securing our clients’ critical processes and enabling them for digital transformation.