Russian Hackers Co-Opt Iranian Cyber Tools to Attack 35 Countries, NSA Warns

Virgiliu Obada/

In a joint advisory, U.S. and British authorities said the Turla group is piggy-backing off the work of Iranian rivals to advance its own agenda.

Russian hackers used Iranian cyber tools and digital infrastructure to launch attacks on government and industry groups in dozens of countries, national security officials from the U.S. and the United Kingdom said Monday.

The Turla group, which is widely believed to be Russian in origin, used two Iranian hacking tools—Nautilus and Neuron—to target military, government, academic and scientific organizations in at least 35 different countries, according to a joint advisory released by the National Security Agency and the U.K.’s National Cyber Security Centre. So far, victims have largely been concentrated in the Middle East, officials said.

While authorities had previously flagged Turla’s use of the tools, this latest advisory offers new details on their origin and the extent of their damage. The disclosure paints a picture of Russian hackers piggy-backing off the work of Iranian rivals to advance their own agenda.

Authorities said the Nautilus and Neuron tools had “very likely” originated in Iran, but Turla had acquired both tools by early 2018. The group initially used the malware in combination with one of its own toolkits, called Snake, but eventually began targeting victims with the tools directly. According to the release, Turla worked to gain further access to targets by scouring their networks for backdoors that had been inserted by Iranian hackers.

In some cases, authorities found that Turla-affiliated hackers tried to access the network using implants that had previously been exploited, and subsequently destroyed, by Iranian advanced persistent threat groups.

“The timeline of incidents, and the behavior of Turla in actively scanning for Iranian backdoors, indicates that while Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements,” officials said in the advisory. “Although [Turla] had a significant amount of insight into the Iranian [backdoor shells], they did not have full knowledge of where they were deployed.”

“Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their implants,” they added.

Authorities discovered that Turla also hacked into the command-and-control infrastructure of an Iranian APT group, known as OilRig or Crambus, and used the platform as a launchpad for their own attacks. 

Turla also reportedly stole troves of data—including key logs and directory lists and files—from an Iranian hacking organization, which helped the Russian group co-opt its previous work. 

“This access gave Turla unprecedented insight into the tactics, techniques and procedures of the Iranian APT, including lists of active victims and credentials for accessing their infrastructure, along with the code needed to build versions of tools such as Neuron for use entirely independently of Iranian [command-and-control] infrastructure,” authorities said.