Hacking the hackers: Russian group hijacked Iranian spying operation,
officials say
Send a link to a friend
 [October 21, 2019]
By Jack Stubbs
LONDON (Reuters) - Russian hackers
piggy-backed on an Iranian cyber-espionage operation to attack
government and industry organizations in dozens of countries while
masquerading as attackers from the Islamic Republic, British and U.S.
officials said on Monday.
The Russian group, known as "Turla" and accused by Estonian and Czech
authorities of operating on behalf of Russia's FSB security service, has
used Iranian tools and computer infrastructure to successfully hack in
to organizations in at least 20 different countries over the last 18
months, British security officials said.
The hacking campaign, the extent of which has not been previously
revealed, was most active in the Middle East but also targeted
organizations in Britain, they said.
Paul Chichester, a senior official at Britain's GCHQ intelligence
agency, said the operation shows state-backed hackers are working in a
"very crowded space" and developing new attacks and methods to better
cover their tracks.
In a statement accompanying a joint advisory with the U.S. National
Security Agency (NSA), GCHQ's National Cyber Security Centre said it
wanted to raise industry awareness about the activity and make attacks
more difficult for its adversaries.
"We want to send a clear message that even when cyber actors seek to
mask their identity, our capabilities will ultimately identify them,"
said Chichester, who serves as the NCSC's director of operations.
Officials in Russia and Iran did not immediately respond to requests for
comment sent on Sunday. Moscow and Tehran have both repeatedly denied
Western allegations over hacking.
GLOBAL HACKING CAMPAIGNS
Western officials rank Russia and Iran as two of the most dangerous
threats in cyberspace, alongside China and North Korea, with both
governments accused of conducting hacking operations against countries
around the world.
Intelligence officials said there was no evidence of collusion between
Turla and its Iranian victim, a hacking group known as "APT34" which
cybersecurity researchers at firms including FireEye FEYE.O say works
for the Iranian government.
[to top of second column]
|
A man types on a computer keyboard in Warsaw in this February 28,
2013 illustration file picture. Kacper Pempel//File Photo
Rather, the Russian hackers infiltrated the Iranian group's
infrastructure in order to "masquerade as an adversary which victims
would expect to target them," said GCHQ's Chichester.
Turla's actions show the dangers of wrongly attributing cyberattacks,
British officials said, but added that they were not aware of any
public incidents that had been incorrectly blamed on Iran as a
result of the Russian operation.
The United States and its Western allies have also used foreign
cyberattacks to facilitate their own spying operations, a practice
referred to as "fourth party collection," according to documents
released by former U.S. intelligence contractor Edward Snowden and
reporting by German magazine Der Spiegel.
GCHQ declined to comment on Western operations.
By gaining access to the Iranian infrastructure, Turla was able to
use APT34's "command and control" systems to deploy its own
malicious code, GCHQ and the NSA said in a public advisory.
The Russian group was also able to access the networks of existing
APT34 victims and even access the code needed to build its own
"Iranian" hacking tools.
((Additional reporting by Vladimir Soldatkin in Moscow and Babak
Dehghanpisheh in Geneva; Editing by Frances Kerry))
[© 2019 Thomson Reuters. All rights
reserved.]
Copyright 2019 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content.
 |
