A new cybersecurity report from the shows that the Russian cyber espionage group known as Turla has carried out a huge amount of cyber attacks all over the world.
Turla used three malware tools: Neuron, Nautilus, and ASPX. Experts say that all these tools are designed to steal data and maintain persistence on Windows networks.
Turla’s use of these tools to gather information about organizations in the technology, military, energy, and government sectors.
The main new point in this hacker story is that the Russians used all the Iranian cyberinfrastructure to hit the whole world.
After a malware analysis, it was found that Neuron and Nautilus are very likely Iranian in origin. The data shows that Turla not only hijacked the whole Iranian cyberspace and cyber weapons but also its command and control infrastructure to deliver malware and additional payloads on compromised systems.
The Russian threat group used Iranian malware and infrastructure in attacks on multiple targets, especially in the Middle East.
This is believed to be the first publicly known instance of one state-backed APT group hijacking and using a rival nation-state infrastructure to expand victim targeting.
In the past years, this type of activity has been discussed as a hypothetical tactic within the cybersecurity industry, it has rarely been publicly identified as being used operationally.
For the moment experts found no evidence that Iran knew it had been compromised or that another group was using its attack infrastructure to target the same victims.
Turla used APT34’s hijacked tools both on networks the latter had already compromised as well as on additional victim networks. The data showed that Turla scanned for networks across 35 countries, many in the Middle East, for the presence of the Iranian ASPX backdoor associated with APT34. When it found these networks, the threat group attempted to leverage APT34’s hijacked malware and infrastructure to establish its own separate presence on the same networks.
The irony is that while Iran’s APT34 was busy distributing its malware on target networks, Turla quietly deployed its own implants on Iran’s group’s APT infrastructure and used this to expand access into it.
Turla’s strategy could provide the Russian group with more data and options to attack.
Turla/Waterbug also may be using the stolen infrastructure to throw defenders and security.
Alternatively, the data also suggests that the Russian threat actor may be using Crambus/APT34’s infrastructure to gain initial access to a victim network.
Experts say that if Russians get a chance to break into a network without having to put the work into it, they are likely to take the opportunity.