A new report from the United Kingdom's National Cyber Security Center (NCSC) shows that the Russia-backed cyber espionage group Turla has carried out more attacks than previously thought using infrastructure and malware hijacked from Iranian threat group APT34.
The NCSC recently analyzed data pertaining to Turla's use of three malware tools — Neuron, Nautilus, and an ASPX-based backdoor — in attacks targeted at UK organizations. The tools are designed for attackers to steal data and maintain persistence on Windows networks.
The NCSC has previously noted Turla's use of these tools in intelligence-gathering operations targeting organizations in the technology, military, energy, and government sectors. But it had not until now connected the tools to APT34 (aka OilRig, Crambus) - though Symantec did so in a report back in June.
In a joint advisory with the National Security Agency (NSA) published Monday, the NCSC said its analysis of the malware — based on data from multiple-sources — shows Neuron and Nautilus are"very likely Iranian in origin." The data shows that Turla not only hijacked APT34's tools but also its command and control infrastructure to deliver malware and additional payloads on compromised systems, the NCSC said.
Symantec in June reported that it had observed Waterbug (the security vendor's name for Turla) using APT34's malware and infrastructure in one targeted attack against an organization in the Middle East. The NCSC and NSA advisory, however, makes clear the Russian threat group used APT34's malware and infrastructure in attacks on multiple targets, especially in the Middle East.
"Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants," the NCSC said. "While Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements."
This is believed to be the first publicly known instance of one state-backed APT group hijacking and using a rival nation-state actor's attack infrastructure to expand victim targeting. "Although this type of activity has been discussed as a hypothetical tactic within the cybersecurity industry, it has rarely been publicly identified as being used operationally," says Alexandrea Berninger, senior cyber intelligence analyst at Symantec.
Like the NCSC, Symantec has found no evidence that the Iranian threat group knew it had been compromised or that another group was using its attack infrastructure to target the same victims. "The identification of Waterbug using Crambus' infrastructure in our report in June was the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group," Berninger notes.
According to the NCSC, Turla used APT34's hijacked tools both on networks the latter had already compromised as well as on additional victim networks. The data showed that Turla scanned for networks across 35 countries, many in the Middle East, for the presence of the Iranian ASPX backdoor associated with APT34. When it found these networks, the threat group attempted to leverage APT34's hijacked malware and infrastructure to establish its own separate presence on the same networks.
In some instances, APT34 would first deploy its implant on a victim network - only to have Turla access it later. The Russian group's ability to remotely connect with APT34's malware tools and get the tools to execute commands suggests that Turla had access to relevant cryptographic keys and controllers belonging the Iranian group, NCSC said.
Somewhat ironically, even as APT34 was busy distributing its malware on target networks, Turla quietly deployed its own implants on the Iran's group's APT infrastructure and used this to expand access into it.
More Attack Options
Avihai Ben Yossef, CTO of Cymulate, says Turla's strategy could provide the Russian group with more data and options to attack. Breaking into APT34 infrastructure could provide them with a network of already compromised machines or databases from which to build out attacks. "This type of activity isn't at all common, as usually APT groups knows how to protect their infrastructure and data," he says.
Turla/Waterbug also may be using the stolen infrastructure to throw defenders and security, says Berninger. Turla/Waterbug has a history of false flag operations and deceptive tactics. So the group's takeover of another group's network would fit into that pattern, she says.
Alternatively, the data also suggests that the Russian threat actor may be using Crambus/APT34's infrastructure to gain initial access to a victim network. "Waterbug is a sophisticated actor and likely has the capability to gain initial access via other means," Berninger notes.
But threat actors tend to be opportunistic. If they get a chance to break into a network without having to put the work into it, they are likely to take the opportunity. "Gaining access to another APT groups' infrastructure could provide Waterbug access to multiple victims they have interest in and would allow Waterbug to drop additional tools onto those networks to maintain access and execute their objectives," she says.
Turla's strategy of riding on Crambus' back can complicate matters for targeted organizations, Berninger says. Because attribution becomes harder, defenders could end up deploying the wrong response to an attack, she notes.