Russian APT hacked Iranian APT's infrastructure back in 2017

Turla APT hacked Iran's APT34 group and used its C&C servers to re-infect APT34 victims with its own malware.
Written by Catalin Cimpanu, Contributor

As fellow ZDNet writer Andrada Fiscutean once wrote in the fall of 2017: "Spies hack. But the best spies hack other spies."

That story revolved around a Virus Bulletin 2017 talk detailing several mysterious cases where APTs (advanced persistent threats, a technical term used to describe government-backed hacking units) appeared to had compromised the infrastructure of other APTs, either by accident, or intentionally.

The article mentioned how two North Korean APTs hacked the same "staging" server to launch attacks against their targets, but without appearing to have known about each other's presence on the same system.

And it also mentioned the case of a mysterious Chinese APT that hacked the control panel of command and control (C&C) servers operated by a Russian APT (Crouching Yeti, DragonFly) to deploy a hidden tracking pixel to monitor every time Russian operators logged into their accounts to launch attacks.

A new instance of "spies hack other spies"

But today, in a report published by Symantec and shared with ZDNet, the US-based cyber-security company said it found another case of a country's APT hacking into the infrastructure of another country's APT.

The one doing all the hacking is an APT known as Turla, linked to Russia's government for nearly two decades.

The Turla APT is infamous for past operations that seem to be pulled out of Hollywood movies. The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside comments posted on Britney Spears' Instagram photos, and has hijacked the infrastructure of entire ISPs to redirect users to malware.

One of its more recent hacking campaigns, as detailed in ESET and Kaspersky reports, involved the use of a new and incredibly clever type of backdoor for Microsoft Exchange email servers, called LightNeuron (Symantec codename: Neptun).

Turla hacked APT34 in late 2017

While investigating this campaign for its own report, Symantec said it found evidence that sometime in November 2017, the Turla APT (which Symantec calls Waterbug) had hacked into the server infrastructure of an Iranian APT known as APT34 (also known as Oilrig or Crambus).

According to Symantec, Turla used APT34's command and control servers to drop malware on the computers already infected with Oilrig hacking tools.

"The first observed evidence of [Turla] activity came on January 11, 2018, when a [Turla]-linked tool (a task scheduler named msfgi.exe) was dropped on to a computer on the victim's network," Symantec said.

The next day, on January 12, the Turla group used APT34's network once again, dropping additional malware on other computers previously compromised by APT34. The victim was a Middle Eastern government, according to Symantec.

Turla hacking APT34
Image: Symantec

It appears that APT34 operators did not detect the intrusion.

"We do not have any evidence that [Oilrig] reacted to the takeover," Alexandrea Berninger, a Senior Cyber Intelligence Analyst for Symantec's Managed Adversary and Threat Intelligence (MATI) team, told ZDNet via email.

"However, we have evidence suggesting that [Oilrig] remained active in the government entity's network through at least late 2018 using other command and control infrastructure," she said.

And Turla's presence on the same network also continued, until at least September 2018, when Symantec last saw activity from the Russian hackers.

The APT34 leaks

But the Turla hack of APT34's infrastructure was not APT34's only leak. Throughout March and April this year, a mysterious group of hackers has been trying to sell and has released the source code of several APT34 hacking tools.

It makes one wonder if the ones leaking the APT34 tools aren't Turla or a fellow Russian intelligence agency.

"There isn't any evidence that would point in this direction," Berninger told ZDNet.

"However, the leaks do suggest that [APT34's] infrastructure may have been vulnerable to compromise, meaning that it was possibly a relatively simple diversion for [Turla] to use [APT34's] infrastructure."

Symantec's report on the recent Turla (Waterbug) hacking campaign will be released later today. We'll update this paragraph with a link to the report when it goes public.

The worst cyberattacks undertaken by nation-state hackers

Related malware and cybercrime coverage:

Editorial standards