Hackers hacking hackers

Earlier this week, the UK’s National Cyber Security Centre (NCSC) and the USA’s National Security Agency (NSA) revealed that the Russian hacker group widely known as Turla had been using the Iranian APT Oilrig’s tools and infrastructure to target victims for its own ends.

The researchers came to this conclusion when investigating an attack that had been carried out on a UK academic institution. They claimed Turla was not only managing to obtain information stolen by the Iranians, but was also using Oilrig’s access to sites for their own ends.

Attacks were eventually discovered against organisations in more than 35 countries with the majority of the victims being located in the Middle East.

No evidence suggesting that the Russians and Iranians have been working together has been presented.

Turla, also known as Krypton, VenomousBear, Waterbug, Uroburos or Snakegroup, is a highly sophisticated hacking group from Russia, which is likely to be state-sponsored: Estonian and Czech security authorities have both accused it of carrying out its cyber-espionage activities on behalf of Russia’s FSB security agency.

Operating since 2007/2008, the APT is believed to have targeted diplomatic and government entities, military, energy and nuclear research organisations, technology companies and academic organisations in the USA, Europe and former Eastern Bloc countries in complex campaigns: these have included the breach of US Central Command in 2008, compromises of the Finnish Foreign Ministry (2013), Swiss military firm RUAG (2014-2016) and the German Government (2017/2018).

Turla usually uses spear-phishing techniques and watering-hole attacks to infect targeted victims, deploying a wide variety of open-source and custom tools in its reconnaissance and data exfiltration activities.

@Oilrig, widely believed to be linked to the Iranian Ministry of Intelligence, is also known by a variety of names, including APT34, Crambus, TwistedKitten, IRN2 and HelixKitten. It has affiliations with other state-sponsored Iranian groups, such as GreenBug, Chafer, Chrysene and Muddywater; it is even possible that some of these groups are one and the same.

Active since at least 2014, Oilrig’s major focus is on stealing information from organisations in the Middle East that are perceived to pose some sort of threat to the Iranian state. It has targeted government agencies, defence organisations, financial institutions, energy, chemical, telecom and other high-value companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait, Qatar and Turkey.

The group initially used spear-phishing emails containing malicious Word documents and Excel spreadsheets with macros that drop VBS files, but has updated and enhanced its tools and techniques in recent years.

This week’s revelations about Turla’s alleged theft of Oilrig’s tools are not new. In fact, research group Symantec revealed back in June this year that the Russian APT was suspected of hijacking Oilrig’s infrastructure for an attack on a target in the Middle East.

The researchers detailed how “a customized variant of the publicly available hacking tool Mimikatz was downloaded to a computer on the victim’s network from known Crambus-controlled network infrastructure”.

It is not clear how Turla managed to hijack Oilrig’s tools. However, Paul Chichester, NCSC director of operations, said the Russian group was able to “piggyback” on Oilrig’s attacks by “monitoring an Iranian hack closely enough to use the same backdoor route into an organisation or to gain access to the resulting intelligence”, before moving on to using the Iranians’ command-and-control infrastructure and software.

However, it is also worth mentioning that in April this year, an Iranian group named LabDookhtegan started leaking information about Oilrig, firstly by doxing a couple of alleged members of the APT, and then by moving on to publishing details of what appeared to be tools the state-sponsored group was using, “exposing here the hacking and penetration capabilities that are used to spy on innocent compatriots”, including “an important cyber tool activity deployed by the Iranian Ministry of Intelligence and its name is Karkoff tool for DNSpionage activity”. Screenshots posted on Twitter by the hackers showed information on the targets in claimed attacks against Lebanon.

Whether or not Turla used these leaks to enhance their own hijacking of Oilrig is of course unknown; nor can we be sure that the information revealed is genuine.

Predictably, Moscow has denied the accusations levelled against Turla. Dismissing this week’s media reports, a spokesman for the Russian embassy in the UK said: “These publications are an unsavory interpretation of a concise report of the British National Cyber Security Centre and the American National Security Agency.” He added that the reports could also be seen as an attempt to “drive a wedge” between Russia and Iran.

Iranian authorities have also routinely denied any involvement in hacking campaigns around the world.

Meanwhile, British security agencies have warned that Turla’s recent activities illustrate the problems associated with wrongly attributing cyber-attacks to a specific actor or APT. Companies and organisations should therefore be open to the possibility of different interpretations when carrying out investigations into breaches and attempting to identify hackers or groups involved in cyber-espionage campaigns.