Russia-backed hacking group uses Iranian tools to attack Middle East targets

A suspected Russia-backed cyber hacking group used Iranian tools to attack 35 countries, the National Security Agency (NSA) and the United Kingdom’s National Cyber Security Centre (NCSC) warned Monday.

The NSA and the NCSC found that the Russian hacking group, known as Turla, used tools created by Iranian hacking groups to target victims mostly based in the Middle East and to steal documents from governments and other entities. Turla specifically targeted victims in countries including Saudi Arabia, Kuwait, Qatar and the United Arab Emirates.

{mosads}In some cases, the agencies found that Turla attacked the same victims that the Iranian hacking groups that created the tools had previously targeted.  

The NSA noted in its joint advisory with the NCSC that Turla stole data from Iranian infrastructure as well, including directory listings and files, enabling Turla to gain “unprecedented insights” into the strategies used by the Iranian hacking group to target victims. 

The NSA and NCSC wrote that the Iranian hackers behind the creation of the cyber tools used by Turla “were almost certainly not aware of, or complicit with, Turla’s use of their implants.”

Paul Chichester, the director of operations at the NCSC, said in a statement that “Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign.”

Chichester added that “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them. Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims.”

The NSA wrote that “while attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of incident response on a victim network – the weight of evidence demonstrates that Turla had access to Iranian tools and the ability to identify and exploit them to further Turla’s own aims.”

According to the NCSC, Turla is an active cyber group that regularly targets government, military, technology, energy and commercial groups to obtain information. 

The announcement of these cyber activities comes after a ramp-up in cyber activities between the U.S. and Iran in recent months. Reuters reported last week that the U.S. had attacked Iran’s ability to spread “propaganda” in retaliation for what the U.S. claims were Iranian airstrikes on Saudi Arabian oil facilities.