Russian APT Turla targets 35 countries on the back of Iranian infrastructure

Dozens of countries have become embroiled in a state-backed spat between Russian and Iranian hacking groups, security agencies have warned. 

On Monday, the UK's National Cyber Security Centre (NCSC), together with the US National Security Agency (NSA), published an advisory warning that military establishments, government departments, scientific organizations, and universities are among victims of an ongoing hacking campaign undertaken by Turla. 

Turla, also known as Snake, Uroburos, Waterbug or Venomous Bear, is believed to originate from Russia. 

As an advanced persistent threat (APT), members of Turla have state backing, granting them more resources than your average cyberattackers -- and making them more dangerous as a result. 

The joint report says that at least 35 countries have become targets, of which the majority are in the Middle East, and at least 20 have been successfully compromised over the past 18 months. 

Believed to be sponsored by the Russian FSB security service, Turla has been active since at least 2008 and while constantly evolving its own toolkit, has also been turning its attention towards the infrastructure and resources of other APTs. 

As ZDNet previously reported in June, the Russian threat actors have hijacked the systems of a rival APT. Hailing from Iran, APT34 -- also known as Oilrig or Crambus -- has been compromised and its "Poison Frog" command-and-control (C2) servers have been hijacked by Turla to drop its own brand of malware on PCs already infected by Oilrig. 

Symantec researchers came to this conclusion after finding evidence of a Turla task scheduler on an Oilrig-compromised system. A Middle Eastern government entity was the victim of this specific attack. 

See also: Russian APT hacked Iranian APT's infrastructure back in 2017

There is currently no evidence to suggest Oilrig has fought back against the exploitation of its systems by another attack group, a scenario that highlights what is becoming an increasingly inter-competitive arena -- and what Paul Chichester, NCSC director of operations believes is now a "very crowded space."

Turla's Snake toolkit has been used alongside Neuron and Nautilus malware implants, both of which have been connected to Iran. The agencies believe Turla first acquired access to these tools before testing them on victims already compromised via Snake. 

In some cases, Oilrig-linked IP addresses would deploy these implants and Turla-based infrastructure would access the same payloads later on. 

"Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants," the agencies say. "Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold."

TechRepublic: What is a zero-day vulnerability?

The Russian APT's main focus is often data exfiltration, and when the group focused its efforts on compromising Oilrig, keyloggers were also deployed to monitor the other APT's activities, techniques, and tactics -- alongside active victims and the credentials needed to access their systems. According to the agencies, the code required to lift the Iranian tools from the C2 for independent use.  

Turla's evolving toolset is being watched by cybersecurity firms with interest across the globe. LightNeuron, for example, is a new and highly-complex backdoor spotted by ESET that works as a mail transfer agent on Microsoft Exchange email servers to intercept and tamper with messages. 

CNET: The best antivirus protection of 2019 for Windows 10

The use of Powershell in attacks to load executables in memory has also been a new development, and earlier this month, Kaspersky said Turla was likely to blame for a campaign in which the internal mechanisms of browsers including Firefox and Chrome were being tampered with to fingerprint traffic streams. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

• Turla turns PowerShell into a weapon in attacks against EU diplomats
  
• Russian cyberspies are using one hell of a clever Microsoft Exchange backdoor
  
• WAV audio files are now being used to hide malicious code
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0