Russian cyber actors disguised themselves as Iranian spies so they could stealthily orchestrate attacks on countries across the world, the U.S. and U.K.
By Kate O’Flaherty
Oct 21, 2019, 05:14am
Russian cyber actors disguised themselves as Iranian spies so they could stealthily orchestrate attacks on countries across the world, the U.S. and U.K. said today ( October 21) in a joint statement.
The so-called Turla group, which is also known as Snake or Uroburos, hid in plain sight by acquiring Iranian tools and infrastructure to perform their attacks, the U.K.’s Cyber Security Centre (NCSC) and U.S. National Security Agency said.
In total, 35 countries were attacked, including the U.K. and U.S., with a “large cluster” of victims based in the Middle East. Victims included military establishments, government departments, scientific organisations and universities.
Turla used implants derived from Iranian hackers’ previous campaigns, “Neuron” and “Nautilus”–which they obtained through compromising the Iran based hackers themselves.
“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign,” said Paul Chichester, the NCSC’s director of operations.
In a defiant statement, he sent a warning to attackers that “even when cyber actors seek to mask their identity,” it’s possible for intelligence agencies to identify them.
The NCSC added that in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, which was later accessed from infrastructure associated with the Russian group Turla. This suggests Turla effectively took control of victims previously compromised by a different actor, the NCSC said.
Russian group Turla targets government, military, technology, energy and commercial organizations. The NCSC published two advisories on the use of Neuron and Nautilus tools by Turla in late 2017 and early 2018.
NSA and NCSC warning and the Russia plausible deniability problem
Russia is one of the most sophisticated cyber actors in the world, so it’s no surprise that the country’s hackers are finding new ways to confuse and stay hidden.
Plausible deniability is an ongoing issue in the increasing complex cyber warfare environment. “Cyberspace is not regulated in the same way as land, maritime, air or space when it comes to international actions relating to war with an equivalent of the Geneva Conventions and Protocols or an Outer Space Treaty,” says Philip Ingram, MBE, a former colonel in British military intelligence. “To avoid political embarrassment and the possibility of political repercussions, the use of a plausibly deniable outlet is key: Without substantive proof, there can never be substantive repercussions.”
Meanwhile, the Russians have a doctrine called маскировка (maskirovka) which encourages “masking” or deception. “This is central to all they do; it allows them to interfere overseas but be able to deny it. We saw this with the attack on Sergei Skripalin Salisbury last year,” Ingram says.
Ingram also points out that Iran is “a closed country with little access to western academia and training” yet apparently it appears to be able to “mount some of the most sophisticated cyber incidents.”
“We hear the same of North Korea, who should have zero access to technology, academia, and extremely controlled access to the internet,” Ingram adds.
Could it be that Russia is behind more incidents than people think? “A smudge of what could be a Russian fingerprint sits over many incidents,” says Ingram. “Not enough for real proof, but something that always seems to be there.”