Skip to main content

UK and US say Russian hackers masqueraded as Iranian to launch attacks

Russian hacking group 'Turla' hijacked Iranian cyber-espionage operation to launch attacks in dozens of countries
A sign for the National Security Agency (NSA), US Cyber Command and Central Security Service, is seen near the visitor's entrance to the headquarters of the National Security Agency (AFP)

Russian hackers masqueraded as Iranians while launching attacks on government and business institutions in dozens of countries by exploiting an Iranian cyber-espionage operation, according to US and UK officials.

British security officials on Monday said the Russian group, known as "Turla", had used Iranian tools and computer infrastructure to successfully hack in to organisations in at least 20 different countries over the last 18 months.

Turla is accused by Estonian and Czech authorities of operating on behalf of Russia's FSB security service.

The hacking campaign, the extent of which has not been previously revealed, was most active in the Middle East but also targeted organisations in Britain, they said.

Paul Chichester, a senior official at Britain's GCHQ intelligence agency, said the operation shows state-backed hackers are working in a "very crowded space" and developing new attacks and methods to better cover their tracks.

In a statement accompanying a joint advisory with the US National Security Agency (NSA), GCHQ's National Cyber Security Centre said it wanted to raise industry awareness about the activity and make attacks more difficult for its adversaries.

"The behaviour of Turla in scanning for backdoor shells indicates that whilst they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed," read the statement.

"While attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of incident response on a victim network – the weight of evidence demonstrates that Turla had access to Iranian tools and the ability to identify and exploit them to further Turla’s own aims."

Officials in Russia and Iran did not immediately respond to requests by Reuters for comment sent on Sunday.

Moscow and Tehran have both repeatedly denied Western allegations over hacking.

'Fourth party collection'

Western officials rank Russia and Iran as two of the most dangerous threats in cyberspace, alongside China and North Korea, with both governments accused of conducting hacking operations against countries around the world.

Intelligence officials said there was no evidence of collusion between Turla and its Iranian victim, a hacking group known as "APT34" that cybersecurity researchers at firms including FireEye say works for the Iranian government.

Rather, the Russian hackers infiltrated the Iranian group's infrastructure in order to "masquerade as an adversary which victims would expect to target them," said Chichester, the British intelligence official.

US cyberattack struck Iran following attacks on Saudi oil facility
Read More »

Turla's actions show the dangers of wrongly attributing cyberattacks, British officials said, but added that they were not aware of any public incidents that had been incorrectly blamed on Iran as a result of the Russian operation.

The United States and its Western allies have also used foreign cyberattacks to facilitate their own spying operations, a practice referred to as "fourth party collection," according to documents released by former US intelligence contractor and whistleblower Edward Snowden and reporting by German magazine Der Spiegel.

GCHQ declined to comment to Reuters on Western operations.

By gaining access to the Iranian infrastructure, Turla was able to use APT34's "command and control" systems to deploy its own malicious code, GCHQ and the NSA said in a public advisory.

The Russian group was also able to access the networks of existing APT34 victims and even access the code needed to build its own "Iranian" hacking tools.