Turla Teardown: Why Attribute Nation-State Attacks?Unmasked: Russians Hijacked Iranian Attack Infrastructure and Malware
Pro tip from information security experts: If a Western intelligence agency issues an alert about online attacks, pay attention, because the alert isn't for its health; it's for yours.
In January 2018, Britain's National Cyber Security Center, part of the Government Communications Headquarters intelligence agency, issued a report warning that a group of suspected Russian nation-state hackers called Turla was using two types of malware - Neuron and Nautilus - against British targets. Last week, however, a joint report from NCSC and the U.S. National Security Agency radically revised the narrative.
"The elephant in the room entails the vantage point NSA and GCHQ would've had to be in, in order to gain these insights."
Unusually, Turla appeared to have hijacked significant attack infrastructure - and the aforementioned attack tools - from an Iranian nation-state attack team called OilRig, aka APT34, Crambus or HelixKitten. In other words, many attacks that traced to Iranian command-and-control servers had in fact been launched by sticky-fingered, Russian-speaking attackers (see: Russian Hackers Coopted Iranian APT Group's Infrastructure).
Complicating Adversaries' Efforts
Officials say releasing the tactics, techniques and procedures used by nation-state attackers is meant to help organizations better defend themselves. But such a strategy also aims to make launching these types of attacks more time-consuming and costly for adversaries.
Indeed, Oliver Dowden, paymaster general and minister for the cabinet office in the conservative British government led by Prime Minister Boris Johnson, last week said that NCSC's mission is to "take the fight to our cyber adversaries - hostile states, reckless hacktivists and organized gangs" - in part by calling out bad behavior.
"In October 2018, that meant exposing Russian military attacks on political institutions and business, media and sporting interests - the World Anti-Doping Agency in Lausanne was a target," he said at an Oct. 23 press conference at NCSC's London headquarters (see: Dutch and British Governments Slam Russia for Cyberattacks). And last week, NCSC "exposed how suspected Russian-based cyber hackers had piggybacked on the illegal operations and methods of a group of Iranian-led hackers, targeting 35 countries."
"We were set up to be technically expert" at helping British organizations handle cyberattacks, cyberthreats and incident management, Ciaran Martin, chief executive of the NCSC, told reporters earlier this year at the CyberUK conference in Glasgow, Scotland (see: Cybersecurity Drives Intelligence Agencies in From the Cold).
Intelligence Report Reveals Bigger Picture
The release of the joint report last week led some cybersecurity watchers to dismiss it as doing nothing more than repeating what had previously been described in reports issued by private security firms. But in fact, the joint report rewrote the story.
In June, meanwhile, Symantec said it had "observed one targeted attack group seemingly hijack and use the infrastructure of another group," seemingly for the first time, pointing to Turla's use of OilRig's PoisonFrog control panel.
Without a doubt, those reports shined a public light on Turla's TTPs. The joint NCSC and NSA report also referenced Symantec's research.
Eyes on Target
It's not clear to what extent GCHQ, NSA or their other Five Eyes intelligence-sharing partners - Australia, Canada and New Zealand - were independently tracking Turla's activities, including its seizure of OilRig's assets. Of course, they're not going to say. But it seems clear they have had eyes on the target (see: Intelligence Agencies Seek Fast Cyber Threat Dissemination).
"The elephant in the room entails the vantage point NSA and GCHQ would've had to be in, in order to gain these insights," said J. A. Guerrero-Saade, a cybercrime researcher at Google's Chronicle who formerly worked with Kaspersky's research team, in a series of tweets on Tuesday (edited slightly for readability).
"While some of the initial warnings could've come from observing traffic to/from Iran's C2 [aka command-and-control] infrastructure or Symantec's reporting regarding PoisonFrog and Turla deployment, their ability to comment on the placement of Turla implants within Iran's infrastructure and original development provenance of the backdoors entails the same or greater level of access," he said.
Western intelligence agencies enjoying deep access to nation-state attackers' infrastructure "should not come as a surprise," he added, noting that Five Eyes has previously tracked Turla's operations. One document leaked by ex-NSA contractor Edward Snowden was a secret 2011 presentation by Canada's Communications Security Establishment on a Russian computer network exploitation group - referring to any group that conducts reconnaissance and espionage - code-named MAKERSMARK by Five Eyes.
'Implemented by Morons'
That presentation summarizes the Russian CNE group's activities and infrastructure thusly: "Designed by geniuses, implemented by morons." It notes that while the systems are very well designed, team members appear to use nation-state attack infrastructure for personal browsing, and to have a "development shop infected by crimeware."
Google's Guerrero-Saade said those slides reveal that Western intelligence agencies were able to use passive collection - obtaining data in transit - to attribute the Russian CNE team's attacks, despite its use of an anonymization network.
Until recently, nobody in the private sector had the full picture about OilRig's assets having been seized by Russians for so-called fourth-party collection. That's spy-speak for one intelligence service intercepting another's CNE activity for its own purposes.
"We - private sector threat intel researchers - mistook the provenance of Neuron and Nautilus," Guerrero-Saade said, believing them to have been built by Russia, when in fact "it seems they'd been stolen" from Iran.
We enter the realm of fourth-party collection with a scenario @craiu and I described as 'victim stealing', where attacker A's vulnerable backdoor design allows attacker B to identify and usurp victims, piggybacking on exfil or disabling A's toolkit to replace it with their own. pic.twitter.com/SmVONnYXpX— J. A. Guerrero-Saade (@juanandres_gs) October 29, 2019
"For those following along at home, this is precisely why mature threat actors emphasize the importance of NOBUS backdoor design - 'nobody but us,' i.e. my backdoor shouldn't enable someone else to access the target," Guerrero-Saade said.
When Governments Attribute
The publication of the joint report raises the question of whether attributing attacks such as these, which have been conducted by nation-state attackers, helps organizations that might be targeted in the future. Surely, organizations should already be prepared to repel all attacks, whether they're being run by nation-state groups, cybercrime attackers, hacktivists, ex-employees with a grudge or any other potential adversary.
From a cybersecurity standpoint, however, that's only part of the picture. As noted, bringing cyber espionage operations to light makes running future operations more costly and time-consuming for adversaries.
In the case of Turla's takeover of OilRig's infrastructure, furthermore, NCSC and NSA's joint attribution also makes clear who's responsible.
"We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them," says Paul Chichester, the NCSC's director of operations. "Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims."