Turla’s use of Iranian infrastructure probably opportunistic

Russian government-linked advanced persistent threat (APT) group Turla, which was revealed last year to have hijacked Iranian computer network operations resources to conduct its attacks and obfuscate its activity, was likely to have been operating opportunistically and not collaborating with the Iranians, according to new research published by Record Future’s Insikt unit.

In October 2019, the UK’s National Cyber Security Centre (NCSC) and the US’s National Security Agency (NSA) closed out a two-year investigation and published conclusive evidence that Turla was attacking its victims using implants that had been stolen from the APT34 or OilRig APT group, which is linked to the Iranian government.

To date, the group’s victims have included military organisations, government departments, academic and research institutions, publishing and media companies, and targets often have specific interests in scientific and energy research, and diplomatic affairs. Many of them have been located in European and other NATO states, and former Soviet republics.

The group has become known for its use of watering-hole attacks – often using compromised WordPress sites – and spear-phishing campaigns, but it has also used a number of more inventive techniques, including the use of satellites to exfiltrate data from remote areas. It is also known to rely on open source software tools, but also specialises in developing its own malware strains. In 2019, it pivoted to heavy reliance on PowerShell exploits in its attacks.

Further research carried out by Insikt into Turla – which also goes by the names Snake, Waterbug and Venomous Bear – revealed that its hijacking of APT34’s resources has been unique among known threat actors to date, amounting effectively to a complete takeover of one nation state group’s assets by another.

Insikt said that although it was possible that this was due to some measure of collaboration, the available evidence did not support that conclusion.

“For example, while Turla had significant insight into APT34 tools and operations, they were required to scan for Iranian web shells in order to find where these tools were deployed,” wrote the report’s authors. “We assess that Turla’s interposition into Iranian operations was likely an uncoordinated and thus hostile act.

“While Insikt Group assesses that Turla Group’s use of APT34 infrastructure was primarily opportunistic in nature, an added benefit for the operators was likely the deception of incident responders, who would potentially identify the tools as Iranian in origin.”

Turla does have form in this regard, having reused Chinese state-attributed malware strain Quarian in attacks in 2012. Previous assessments by other threat researchers had suggested Turla downloaded, then uninstalled Quarian in order to divert and deceive victims’ security teams and investigators.

Although, like many other nation-state APT groups, Turla has increased its reliance on open source and commodity tools, the fact that it continues to develop its own advanced malware strains – Reductor RAT, first identified in the autumn of 2019, is suspected of being one of its projects – makes it a more potent threat in some ways.

Insikt said it was indubitably a well-funded group, committed to improving its tools and practices, and certainly connected to a nation state with advanced cyber security capabilities.

“Although we expect its targeting and practices to shift over time, Insikt Group assesses that Turla will remain an active, advanced threat for years to come that will continue to surprise with unique operational concepts,” said the researchers.

However, one piece of good news for security teams may be that because Turla is largely consistent in its attack patterns and uses stable and periodically updated versions of unique malware in lengthy campaigns, it is easier to track and identify proactively.

The Insikt Group’s full investigation into Turla can be read on and downloaded from its website.