Both UK and US intelligence agencies have accused the Turla group, allegedly based in Russia, of letting an Iranian hacking outfit take the blame for a spate of cyber espionage after gaining access to its cyber tools and infrastructure and piggybacking on its hacking exploits. Paul Chichester, the NCSC’s director of operations, said: “Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign. We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.
“Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”
Turla or Uroboros is a Trojan package that is suspected by computer security researchers and Western intelligence officers to be the product of a Russian government agency of the same name
Turla has been targeting governments and militaries since at least 2008.
In December 2014 there was evidence of it targeting the Linux operating system.
This advanced persistent threat hacking group has been described as “Russian spies” by Dan Goodin security editor of Ars Technica.
This gave the alleged Russia-linked actors access to the secrets of a number of governments and other entities, mainly in the Middle East, already allegedly compromised by the Iranians.
The suspected Russian hackers became so well-versed in the methods used by the group, known as APT34 or OilRig, that they were able to launch their own cyberattacks posing as the Iranians, according to the UK’s National Cyber Security Centre (NCSC).
This meant victims that initiated investigations to find out who targeted them would more likely blame the Iran-linked group when actually the culprit was the Russia-linked group.
JUST IN: Putin ‘eyes land grab in key Arctic region’ amid grapple with Trump
Both agencies have released advisories on their findings to raise awareness among businesses and the public to the risk of incorrect attribution.
The relatively rare public joint action, calling out the alleged cyber espionage of a suspected Russia-linked group, is also aimed at deterring such activity, Mr Chichester said.
The NCSC said it had found cyberattacks against more than 35 countries.
These countries included at least 20 that were successful and they appeared to have originated from Iranian-linked hackers, but were in fact launched by the suspected Russian-linked group.
Turla is accused of regularly collecting intelligence by targeting government, military, technology, energy and commercial organisation.
There is no suggestion the Iranians knew or were complicit in their systems being allegedly hacked by the Turla group, Mr Chichester said.
A report released in June by the cyber security company Symantec first alleged Turla, also known as Waterbug, had gained access to the servers belonging to APT34.
The shocking announcement is the first time the British and US governments have made this claim.
It is also the first time the scale of the attacks and their apparent success rate has been revealed.