Russia-linked group likely used Iranian hacking tools, NSA says
By ALYZA SEBENIUS | Bloomberg | Published: October 23, 2019
WASHINGTON (Tribune Content Agency) — A Russia-linked group is believed to have utilized Iranian tools to conduct cyber attacks against dozens of countries, in an apparent effort to mask their identities, according to joint advisories by the U.S. and the U.K.
The group, known as Turla, used tools from suspected Iran-based hacking groups and deployed them against old and new targets. In order to acquire the tools, Turla “comprised the suspected Iran-based hacking groups themselves,” according to the U.S. National Security Agency and the U.K.’s National Cyber Security Centre, which released the advisories on Monday.
The original owners of the tools “were almost certainly not aware of, or complicit with, Turla’s use of their implants,” the agencies said.
The attacks, against more than 35 countries, would appear to the victims as coming from Iran. “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” said Paul Chichester, director of operations for the U.K. cyber agency, in one of the advisories.
Turla, which is also known as Waterbug or Venomous Bear, collects information by targeting government, military, technology, energy and commercial operations for the purposes of intelligence collection, the agencies said.
“After acquiring the tools — and the data needed to use them operationally — Turla first tested them against victims they had already compromised,” according to one of the advisories. Following this, they “then deployed the Iranian tools directly to additional victims.”
The U.K. cyber agency had published advisories about Turla in 2017 and 2018.
In a June report, cited by the agencies, the cybersecurity company Symantec Corp. said that Turla had spent a year and a half attacking international and government organizations “in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage group’s infrastructure.”
Now that Turla is armed with Iranian tools, the best way to lessen the risk is to update vulnerable systems, one of the advisories said.