WASHINGTON, DC -- A Russian group tapped into an Iranian cyber-espionage operation to attack government and industry organisations in dozens of countries while posing as hackers from the Iranian regime, British and US officials said.
The group, known as "Turla", in the past has used "a range of tools and techniques to target government, military, technology, energy and commercial organisations for the purposes of intelligence collection," the US National Security Agency and the United Kingdom (UK)'s National Cyber Security Centre (NCSC) said in a joint report published Monday (October 21).
Turla is believed to be sponsored by the Russian FSB intelligence agency.
"Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims," said Paul Chichester, a senior official at the UK's GCHQ intelligence agency.
The hacking campaign targeted more than 35 countries, the majority of whom were based in the Middle East. Various documents were extracted in the cyber operation, the report said.
The attacks at first appeared to be Iranian in origin, but the NCSC revealed that this was not the case, Chichester said.
Turla hijacked so-called implants derived from the suspected Iran-based hacking groups' previous campaigns, called "Neuron" and "Nautilus". In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups themselves, the NCSC said.
By acquiring access to the Iranian infrastructure, Turla was able to use the Iranian group's "command-and-control" systems to deploy its own malicious code, the NCSC said.
No evidence of collusion between the Russian group and its Iranian victim was found, said intelligence officials.
The latest Russian cyber attack
The incident marks the latest Russian attempt to attack countries and organisations through cyber-espionage and subterfuge to exert malign influence.
In April 2018, two Russian "diplomats" were caught attempting to hack into the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.
The alleged Russian agents from the GU (formerly GRU) military intelligence agency used electronic equipment hidden in a car parked outside a nearby hotel, according to Dutch government officials.
The timing of the attempted hack was significant as Moscow was accused of purposely delaying OPCW access to a chemical weapons attack in Douma, Syria, giving the Kremlin time to tamper with the site.
At the time, the OPCW was investigating the poisoning of former Russian double agent Sergei Skripal and his daughter in March 2018 in Salisbury, United Kingdom, as well as a major chemical attack in Syria.
In May 2018, the US Justice Department said that it had seized an internet domain that directed a dangerous botnet of a half-million infected home and office network routers, controlled by hackers believed tied to Russian intelligence.
The move was aimed at breaking up an operation deeply embedded in small and medium-size computer networks that could allow the hackers to take control of computers as well as easily steal data.
The group was involved in the operation to hack and release damaging information on the Democratic Party during the 2016 US presidential election, said US intelligence agencies.