Russian hackers piggybacked an Iranian cyberespionage operation to attack government and industry organizations in dozens of countries while masquerading as attackers from the Islamic Republic, British and US officials said on Monday.
The so-called Turla group, also known as Waterbug or Venomous Bear, is widely reported to be associated with Russian actors. The US National Security Agency and Britain's National Cyber Security Centre said Monday that Turla acquired control of the tools and infrastructure of Iranian hacking groups for their attacks in an attempt to mask their identity.
Follow Israel Hayom on Facebook and Twitter
The attacks extracted documents from multiple sectors, including governments, and were mostly carried out in the Middle East but also targeted organizations in Britain.
Paul Chichester, the NCSC's director of operations, said Monday: "Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims."
Chichester said the operation shows state-backed hackers are working in a "very crowded space" and developing new attacks and methods to better cover their tracks.
In a statement accompanying a joint advisory with the NSA, the NCSC said it wanted to raise industry awareness about the activity and make attacks more difficult for its adversaries.
"We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them," said Chichester.
Officials in Russia and Iran did not immediately respond to requests for comment sent on Sunday. Moscow and Tehran have both repeatedly denied Western allegations over hacking.
Western officials rank Russia and Iran as two of the most dangerous threats in cyberspace, alongside China and North Korea, with both governments accused of conducting hacking operations against countries around the world.
Intelligence officials said there was no evidence of collusion between Turla and its Iranian victim, a hacking group known as "APT34," which cybersecurity researchers at firms including FireEye say works for the Iranian government.
Rather, the Russian hackers infiltrated the Iranian group's infrastructure in order to "masquerade as an adversary which victims would expect to target them," said GCHQ's Chichester.
Turla's actions show the dangers of wrongly attributing cyberattacks, British officials said. They added they were unaware of any public incidents incorrectly blamed on Iran as a result of the Russian operation, though.
"Our main intent right here is to point out that there's a lot of false flagging going on out there and we want to make sure that our national security systems that we're trying to defend are aware," said Doug Cress, a division chief within the NSA's newly formed Cybersecurity Directorate.
The United States and its Western allies have also used foreign cyberattacks to facilitate their own spying operations, a practice referred to as "fourth party collection," according to documents released by former US intelligence contractor Edward Snowden and reporting by German magazine Der Spiegel.
GCHQ declined to comment on Western operations.
"Collection efforts which leverage other infrastructure and the capability of peers, such as this, offer a low-cost, high-reward way to conduct operations while potentially confusing attribution," explained FireEye director of intelligence analysis John Hultquist.
By gaining access to the Iranian infrastructure, Turla was able to use APT34's "command and control" systems to deploy its own malicious code, GCHQ and the NSA said in a public advisory.
"I would say they are extremely talented and effective. They're someone we keep a close eye on because we're worried about them damaging our national security systems," Cress said about Turla.
The Russian group was also able to access the networks of existing APT34 victims and even access the code needed to build its own "Iranian" hacking tools.
