NSA and NCSC: Russian state hackers hijacked tools from Iranian colleagues

A group of criminal hackers allegedly linked to the Russian government has used infrastructure belonging to an Iranian group that had no knowledge of this, the NSA and Britain’s National Cyber ​​Security Center have claimed.

The American intelligence service NSA, together with its British counterpart NCSC, published a document about the group called Turla, also known as Waterbug and Venomous Bear. According to the services, this concerns an advanced persistent threat, usually a state hacking group, from Russia. Turla would use the Neuron and Nautilus implants and the associated command & control infrastructure.

The American and British intelligence services also published in 2017 and 2018 about the use of Neuron and Nautilus by the Turla-apt, but they have been monitoring the group itself for much longer. The NSA and NCSC are now reporting that this malware is likely Iranian in origin. The Iranian group responsible for the implants was almost certainly not aware of Turla’s use, the claim goes.

Turla would have carried out scans to find out where the Iranian backdoors were located and then target these targets himself. The activity is said to have taken place mainly in the Middle East and among the targets of Neuron and Nautilus would be military facilities, government organizations, scientific institutes and universities.

To establish a secure connection to the implants, Turla must have had access to the cryptographic keys and controller software, the NSA and NCSC concluded. In addition, the group allegedly supplied the Neuron malware to targets it already had access to through its own Snake toolkit.