Russian APT Group Turla Compromised Iranian APT To Target Various Countries

• Using the TTPs of the Iranian APT, along with the list of active victims and credentials, and the code needed to build versions of tools such as Neuron, Turla has expanded its coverage.
• Turla has also used victim networks previously compromised using Snake to scan for servers infected with the ASPX shells in at least 35 countries, including Saudi Arabia, Kuwait, Qatar, and UAE.

What happened?

The National Security Agency (NSA) and UK’s National Cyber Security Centre (NCSC) released a joint statement that the Russian threat actor group, Turla compromised the infrastructure of an Iranian threat group to launch cyberattacks on various countries.

The detailed picture

According to the advisory, Turla, also known as Waterbug, Snake, WhiteBear, and VENOMOUS BEAR, has hijacked the C&C infrastructure from an Iranian APT group to attack targets from dozens of countries.

A report from Symantec stated that Turla was observed spreading its own malware via a Poison Frog panel, which is attributed to Iran-sponsored APT34, also known as OilRig.

• Turla group deployed their own implants against the infrastructure of the Iranian APT actor to compromise the Iranian APT’s global infrastructure.
• Upon which, the Russian threat group exfiltrated data from the Iranian APT infrastructure to its infrastructure.
• The exfiltrated data includes directory listings and files, keylogger output that contains operational activity and connections to Iranian C2 domains.
• Using the tactics, techniques, and procedures (TTPs) of the Iranian APT, along with the list of active victims and credentials, and the code needed to build versions of tools such as Neuron, Turla has expanded its coverage.

Using the Neuron and Nautilus tools, Turla has targeted a range of victims in the Middle East and other countries. Victims in this region include military, government entities, research organizations, and universities.

Worth noting

Turla APT has also used victim networks previously compromised using Snake to scan for servers infected with the ASPX shells in at least 35 countries, including Saudi Arabia, Kuwait, Qatar, and UAE.

“After acquiring the tools – and the data needed to use them operationally –Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims,” the advisory read.