Tools and servers of Iranian threat group are being used by Russian hackers as cover

Turla cyber-espionage group rooted in Russia used stolen malware and infrastructure of the Iranian-sponsored OilRig to attack targets from several countries according to a joint UK's National Cyber Security Centre (NCSC) and U.S. National Security Agency(NSA) advisory.

Turla being an advanced threat group is tracked by security outfits as Waterbug, Snake, WhiteBear, Venomous Bear, and Krypton. Turla is an advanced persistent threat (APT) group with a focus on cyber-spying and a huge section of victims from military and government to education and research entities. OilRig is an APT with Iranian government links which is known for operating worldwide cyber-espionage campaigns, usually covering Middle Eastern companies and government agencies.

Turla's hijack was first reported in June when the researchers found that the Russian APT was using some of Iranian C2 servers. Researchers have also released an advisory stating that the Russian APT was found using various Iranian tools including the Neuron and Nautilus Implants. ASPX-based backdoor beside snake rootkit was used to compromise, maintain persistence, and exfiltrate data. Turla used victim networks previously compromised using Snake to find servers infected with the ASPX shells. These compromised networks were used in at least 35 countries, including Saudi Arabia, Kuwait, Qatar and UAE.

Victims targeted by Turla included military establishment, government departments, scientific organizations and universities. Turla used the acquired tools against victims with Snake implants and further deployed the attack to all other victims.

Use NPAV and join us on a mission to secure the cyber world.