Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/21/2019
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian Hackers Using Iranian APT's Infrastructure in Widespread Attacks

New advisory from the UK's NCSC and the NSA throws fresh light on activity first revealed by Symantec in June.

A new report from the United Kingdom's National Cyber Security Center (NCSC) shows that the Russia-backed cyber espionage group Turla has carried out more attacks than previously thought using infrastructure and malware hijacked from Iranian threat group APT34.

The NCSC recently analyzed data pertaining to Turla's use of three malware tools — Neuron, Nautilus, and an ASPX-based backdoor — in attacks targeted at UK organizations. The tools are designed for attackers to steal data and maintain persistence on Windows networks.

The NCSC has previously noted Turla's use of these tools in intelligence-gathering operations targeting organizations in the technology, military, energy, and government sectors. But it had not until now connected the tools to APT34 (aka OilRig, Crambus) - though Symantec did so in a report back in June.

In a joint advisory with the National Security Agency (NSA) published Monday, the NCSC said its analysis of the malware — based on data from multiple-sources — shows Neuron and Nautilus are"very likely Iranian in origin." The data shows that Turla not only hijacked APT34's tools but also its command and control infrastructure to deliver malware and additional payloads on compromised systems, the NCSC said.  

Symantec in June reported that it had observed Waterbug (the security vendor's name for Turla) using APT34's malware and infrastructure in one targeted attack against an organization in the Middle East. The NCSC and NSA advisory, however, makes clear the Russian threat group used APT34's malware and infrastructure in attacks on multiple targets, especially in the Middle East.

"Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants," the NCSC said. "While Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements."

This is believed to be the first publicly known instance of one state-backed APT group hijacking and using a rival nation-state actor's attack infrastructure to expand victim targeting. "Although this type of activity has been discussed as a hypothetical tactic within the cybersecurity industry, it has rarely been publicly identified as being used operationally," says Alexandrea Berninger, senior cyber intelligence analyst at Symantec.

Like the NCSC, Symantec has found no evidence that the Iranian threat group knew it had been compromised or that another group was using its attack infrastructure to target the same victims. "The identification of Waterbug using Crambus' infrastructure in our report in June was the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group," Berninger notes.

According to the NCSC, Turla used APT34's hijacked tools both on networks the latter had already compromised as well as on additional victim networks. The data showed that Turla scanned for networks across 35 countries, many in the Middle East, for the presence of the Iranian ASPX backdoor associated with APT34. When it found these networks, the threat group attempted to leverage APT34's hijacked malware and infrastructure to establish its own separate presence on the same networks.

In some instances, APT34 would first deploy its implant on a victim network - only to have Turla access it later. The Russian group's ability to remotely connect with APT34's malware tools and get the tools to execute commands suggests that Turla had access to relevant cryptographic keys and controllers belonging the Iranian group, NCSC said.

Somewhat ironically, even as APT34 was busy distributing its malware on target networks, Turla quietly deployed its own implants on the Iran's group's APT infrastructure and used this to expand access into it.

More Attack Options

Avihai Ben Yossef, CTO of Cymulate, says Turla's strategy could provide the Russian group with more data and options to attack. Breaking into APT34 infrastructure could provide them with a network of already compromised machines or databases from which to build out attacks. "This type of activity isn't at all common, as usually APT groups knows how to protect their infrastructure and data," he says.

Turla/Waterbug also may be using the stolen infrastructure to throw defenders and security, says Berninger. Turla/Waterbug has a history of false flag operations and deceptive tactics. So the group's takeover of another group's network would fit into that pattern, she says.

Alternatively, the data also suggests that the Russian threat actor may be using Crambus/APT34's infrastructure to gain initial access to a victim network. "Waterbug is a sophisticated actor and likely has the capability to gain initial access via other means," Berninger notes.

But threat actors tend to be opportunistic. If they get a chance to break into a network without having to put the work into it, they are likely to take the opportunity. "Gaining access to another APT groups' infrastructure could provide Waterbug access to multiple victims they have interest in and would allow Waterbug to drop additional tools onto those networks to maintain access and execute their objectives," she says.

Turla's strategy of riding on Crambus' back can complicate matters for targeted organizations, Berninger says. Because attribution becomes harder, defenders could end up deploying the wrong response to an attack, she notes.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...