Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/21/2019
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian Hackers Using Iranian APT's Infrastructure in Widespread Attacks

New advisory from the UK's NCSC and the NSA throws fresh light on activity first revealed by Symantec in June.

A new report from the United Kingdom's National Cyber Security Center (NCSC) shows that the Russia-backed cyber espionage group Turla has carried out more attacks than previously thought using infrastructure and malware hijacked from Iranian threat group APT34.

The NCSC recently analyzed data pertaining to Turla's use of three malware tools — Neuron, Nautilus, and an ASPX-based backdoor — in attacks targeted at UK organizations. The tools are designed for attackers to steal data and maintain persistence on Windows networks.

The NCSC has previously noted Turla's use of these tools in intelligence-gathering operations targeting organizations in the technology, military, energy, and government sectors. But it had not until now connected the tools to APT34 (aka OilRig, Crambus) - though Symantec did so in a report back in June.

In a joint advisory with the National Security Agency (NSA) published Monday, the NCSC said its analysis of the malware — based on data from multiple-sources — shows Neuron and Nautilus are"very likely Iranian in origin." The data shows that Turla not only hijacked APT34's tools but also its command and control infrastructure to deliver malware and additional payloads on compromised systems, the NCSC said.  

Symantec in June reported that it had observed Waterbug (the security vendor's name for Turla) using APT34's malware and infrastructure in one targeted attack against an organization in the Middle East. The NCSC and NSA advisory, however, makes clear the Russian threat group used APT34's malware and infrastructure in attacks on multiple targets, especially in the Middle East.

"Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants," the NCSC said. "While Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements."

This is believed to be the first publicly known instance of one state-backed APT group hijacking and using a rival nation-state actor's attack infrastructure to expand victim targeting. "Although this type of activity has been discussed as a hypothetical tactic within the cybersecurity industry, it has rarely been publicly identified as being used operationally," says Alexandrea Berninger, senior cyber intelligence analyst at Symantec.

Like the NCSC, Symantec has found no evidence that the Iranian threat group knew it had been compromised or that another group was using its attack infrastructure to target the same victims. "The identification of Waterbug using Crambus' infrastructure in our report in June was the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group," Berninger notes.

According to the NCSC, Turla used APT34's hijacked tools both on networks the latter had already compromised as well as on additional victim networks. The data showed that Turla scanned for networks across 35 countries, many in the Middle East, for the presence of the Iranian ASPX backdoor associated with APT34. When it found these networks, the threat group attempted to leverage APT34's hijacked malware and infrastructure to establish its own separate presence on the same networks.

In some instances, APT34 would first deploy its implant on a victim network - only to have Turla access it later. The Russian group's ability to remotely connect with APT34's malware tools and get the tools to execute commands suggests that Turla had access to relevant cryptographic keys and controllers belonging the Iranian group, NCSC said.

Somewhat ironically, even as APT34 was busy distributing its malware on target networks, Turla quietly deployed its own implants on the Iran's group's APT infrastructure and used this to expand access into it.

More Attack Options

Avihai Ben Yossef, CTO of Cymulate, says Turla's strategy could provide the Russian group with more data and options to attack. Breaking into APT34 infrastructure could provide them with a network of already compromised machines or databases from which to build out attacks. "This type of activity isn't at all common, as usually APT groups knows how to protect their infrastructure and data," he says.

Turla/Waterbug also may be using the stolen infrastructure to throw defenders and security, says Berninger. Turla/Waterbug has a history of false flag operations and deceptive tactics. So the group's takeover of another group's network would fit into that pattern, she says.

Alternatively, the data also suggests that the Russian threat actor may be using Crambus/APT34's infrastructure to gain initial access to a victim network. "Waterbug is a sophisticated actor and likely has the capability to gain initial access via other means," Berninger notes.

But threat actors tend to be opportunistic. If they get a chance to break into a network without having to put the work into it, they are likely to take the opportunity. "Gaining access to another APT groups' infrastructure could provide Waterbug access to multiple victims they have interest in and would allow Waterbug to drop additional tools onto those networks to maintain access and execute their objectives," she says.

Turla's strategy of riding on Crambus' back can complicate matters for targeted organizations, Berninger says. Because attribution becomes harder, defenders could end up deploying the wrong response to an attack, she notes.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...