Posted on October 21, 2019 at 2:14 PM
As poetically justified, it is to find out a hacker group was, in turn, hacked. In this case, it was really just a case of the group trying to hide their identity while they, in turn, hack other things.
The Iranian hacker group, APT34, has been hack by a Russian group named Turla. Turla has previously been accused by both Czech and Estonian authorities to be operating on behalf of the Russian FSB security services. This group piggy-backed the Iranian group’s operation in order to conduct dozens of attacks across multiple countries.
This hacking campaign Turla enacted was mostly active in the Middle East, but it also targeted select organizations in Britain. The organization was involved in successful hacks in at least twenty countries these past 18 months.
Paul Chichester, a senior official at Britain’s GCHQ, stated that the operation displays that state-backed hackers are currently working within a crowded space. Within this space, they are developing new methods of both attack and obfuscation to facilitate better operations.
Through a statement with the joint advisory of their US counterpart, the NSA, GCHQ’s National Cyber Security Center stated that it wanted to raise industry awareness about the activity. This is in a bid to try and make it more difficult for their adversaries to initiate an attack.
Chichester, who serves as the NCSC’s Director of Operations, made it clear he was sending a message. He wanted cyber actors to know that they can’t mask their identity. He wanted to make it clear that the NCSC’s abilities will help them find their real identities.
Officials in both Russia and Iran have declined to comment about the matter, at least for now. Both Tehran and Moscow have repeatedly denied allegations of any form of hacking.
Russia Duping Iran
There are, generally speaking, four countries known for being the worst threats in Cyberspace, at least by the western world. These countries are Russia, Iran, China, and North Korea. Both Russia and Iran already have accusations that they conduct hacking operations against countries around the world.
Interestingly enough, Intelligence officials have said that there isn’t any evidence of collusion between Turla and their Iranian victims. The hacking group, officially dubbed APT34, is suspected of working for the Iranian government by cybersecurity organizations like FireEye.
It’s suspected that the Russian hackers infiltrated the Iranian group’s infrastructure, trying to hide their trace under the group’s framework. If this were successful, there would be no eyes on Turla, only on APT34.
British officials warn that Turla’s actions show the inherent dangers of wrongly blaming cyberattack actors. However, the British officials continued and said that they are not aware of any incident where the Iranians were falsely laid on APT34’s lap due to Russian operations.
Because Turla gained access to Iranian infrastructure, they could make use of APT34’s ‘Command and control” systems to deploy malicious code. On top of that, they even managed to gain access to the existing network of APT34 victims, using them for their purposes. They gained access to the code needed to build their own “Iranian” hacking tools, allowing them a new avenue of warfare.
Grey vs. Grey
While it may seem new, the US and its Western allies have already done something like this. The practice of using foreign cyberattacks to facilitate your espionage is called “Fourth Party Collection.” Former US Intelligence Contractor, Edward Snowden, had explained it to a German magazine by the Der Spiegel. The report in full will be linked here.
Somewhat understandably, the GCHQ declined to comment about any such thing.
The cybersecurity world is a bizarre one, indeed. The war they fight can’t be seen with regular eyes. Entire networks of PCs have been used for the hacker’s purpose, with the users behind the PCs none the wiser.
This article would like to recommend either updating or installing an antivirus system on your PC.