Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/21/2019
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian Hackers Using Iranian APT's Infrastructure in Widespread Attacks

New advisory from the UK's NCSC and the NSA throws fresh light on activity first revealed by Symantec in June.

A new report from the United Kingdom's National Cyber Security Center (NCSC) shows that the Russia-backed cyber espionage group Turla has carried out more attacks than previously thought using infrastructure and malware hijacked from Iranian threat group APT34.

The NCSC recently analyzed data pertaining to Turla's use of three malware tools — Neuron, Nautilus, and an ASPX-based backdoor — in attacks targeted at UK organizations. The tools are designed for attackers to steal data and maintain persistence on Windows networks.

The NCSC has previously noted Turla's use of these tools in intelligence-gathering operations targeting organizations in the technology, military, energy, and government sectors. But it had not until now connected the tools to APT34 (aka OilRig, Crambus) - though Symantec did so in a report back in June.

In a joint advisory with the National Security Agency (NSA) published Monday, the NCSC said its analysis of the malware — based on data from multiple-sources — shows Neuron and Nautilus are"very likely Iranian in origin." The data shows that Turla not only hijacked APT34's tools but also its command and control infrastructure to deliver malware and additional payloads on compromised systems, the NCSC said.  

Symantec in June reported that it had observed Waterbug (the security vendor's name for Turla) using APT34's malware and infrastructure in one targeted attack against an organization in the Middle East. The NCSC and NSA advisory, however, makes clear the Russian threat group used APT34's malware and infrastructure in attacks on multiple targets, especially in the Middle East.

"Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants," the NCSC said. "While Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements."

This is believed to be the first publicly known instance of one state-backed APT group hijacking and using a rival nation-state actor's attack infrastructure to expand victim targeting. "Although this type of activity has been discussed as a hypothetical tactic within the cybersecurity industry, it has rarely been publicly identified as being used operationally," says Alexandrea Berninger, senior cyber intelligence analyst at Symantec.

Like the NCSC, Symantec has found no evidence that the Iranian threat group knew it had been compromised or that another group was using its attack infrastructure to target the same victims. "The identification of Waterbug using Crambus' infrastructure in our report in June was the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group," Berninger notes.

According to the NCSC, Turla used APT34's hijacked tools both on networks the latter had already compromised as well as on additional victim networks. The data showed that Turla scanned for networks across 35 countries, many in the Middle East, for the presence of the Iranian ASPX backdoor associated with APT34. When it found these networks, the threat group attempted to leverage APT34's hijacked malware and infrastructure to establish its own separate presence on the same networks.

In some instances, APT34 would first deploy its implant on a victim network - only to have Turla access it later. The Russian group's ability to remotely connect with APT34's malware tools and get the tools to execute commands suggests that Turla had access to relevant cryptographic keys and controllers belonging the Iranian group, NCSC said.

Somewhat ironically, even as APT34 was busy distributing its malware on target networks, Turla quietly deployed its own implants on the Iran's group's APT infrastructure and used this to expand access into it.

More Attack Options

Avihai Ben Yossef, CTO of Cymulate, says Turla's strategy could provide the Russian group with more data and options to attack. Breaking into APT34 infrastructure could provide them with a network of already compromised machines or databases from which to build out attacks. "This type of activity isn't at all common, as usually APT groups knows how to protect their infrastructure and data," he says.

Turla/Waterbug also may be using the stolen infrastructure to throw defenders and security, says Berninger. Turla/Waterbug has a history of false flag operations and deceptive tactics. So the group's takeover of another group's network would fit into that pattern, she says.

Alternatively, the data also suggests that the Russian threat actor may be using Crambus/APT34's infrastructure to gain initial access to a victim network. "Waterbug is a sophisticated actor and likely has the capability to gain initial access via other means," Berninger notes.

But threat actors tend to be opportunistic. If they get a chance to break into a network without having to put the work into it, they are likely to take the opportunity. "Gaining access to another APT groups' infrastructure could provide Waterbug access to multiple victims they have interest in and would allow Waterbug to drop additional tools onto those networks to maintain access and execute their objectives," she says.

Turla's strategy of riding on Crambus' back can complicate matters for targeted organizations, Berninger says. Because attribution becomes harder, defenders could end up deploying the wrong response to an attack, she notes.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5541
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain an out-of-bounds write vulnerability in the e1000e virtual network adapter. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service...
CVE-2019-5542
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain a denial-of-service vulnerability in the RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.
CVE-2010-4660
PUBLISHED: 2019-11-20
Unspecified vulnerability in statusnet through 2010 due to the way addslashes are used in SQL string escapes..
CVE-2011-0529
PUBLISHED: 2019-11-20
Weborf before 0.12.5 is affected by a Denial of Service (DOS) due to malformed fields in HTTP.
CVE-2019-10765
PUBLISHED: 2019-11-20
iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.