Wilderness of Mirrors in Cyberspace: nexus among APTs
Between at least 2017 and 2019 [1], Russian foreign intelligence service (FIS)-sponsored Advanced Persistent Threat (APT) Turla (aka Venomous Bear) was fingerprinted having hacked into and used the Islamic Republic’s Iranian Revolutionary Guard Corps (IRGC) sponsored APT-33, APT-34, and APT-35 infrastructure.[2] In late 2019 The U.S. National Security Agency (NSA) in coordination with the U.K National Cyber Security Centre (NCSC) as part of Government Communications Headquarters (GCHQ) published an advisory on the matter providing helpful Indicators of Compromise (IOCs), indicators for forensic analysis, and victim insights.[3] The case of Turla masquerading as an Iranian APT demonstrates a sophisticated scenario challenging government instruments of power to attribute and deny a foreign adversary through this wilderness of mirrors.
Law enforcement (LE), friendly intelligence services, and security-industry partners, have worked to detail Turla as an evasive global threat actor targeting research, diplomatic, and military industries [4] since at least 1996. [5] The Federalnaya Sluzhba Bezopasnosti or Federal Security Service (FSB), the modern-day successor of the renowned KGB, is very active in offensive cyber capabilities and remote-digital surveillance. In particular, the FSB Center 16 conducts “cyber operations including the intercepting, decrypting and processing of electronic messages, and the technical penetration of foreign target[s].” FSB Center 16 has been attributed to Turla by the NCSC. [6] U.S. and Commonwealth Allied signals intelligence and cyber warfare organizations have routinely issued warnings about Turla’s craft. National security, defense, and industry have worked together across security restriction boundaries for enhanced IOCs and detailed tactics, techniques, and procedures (TTPs) to help secure potential victims.
Turla is a fascinating case, in that their attribution to Russian FIS is widely known, exploiting a quasi-partner’s (IRGC) infrastructure. [7] Turla does not use overly complex TTPs, largely relying on PowerShell scripts for malware installation delivered via USBs, infected Wordpress sites, Microsoft email servers and is largely commanded and controlled via http/s protocol. [4] And, the exploit of APT34’s infrastructure was not a witting operation to the IRGC as Turla exfiltrated directory information, files, and keylogger recordings. [8] While not the most sophisticated Russian APT, Turla demonstrates significant obfuscation methods enabling decades of high-impact government and industrial-base targets.
Turla evades multiple national military and intelligence services, targeting victims with impunity. The most effective way to put an end to these sorts of operations is not straight-forward, and challenge even the most advanced international policy experts. For now, partnered organizations can best work together to reduce the impact of any future Turla or Turla-inspired attack.
References:
[1] “Russian APT hacked Iranian APT’s infrastructure back in 2017,” ZDNET. https://www.zdnet.com/article/russian-apt-hacked-iranian-apts-infrastructure-back-in-2017/ (accessed Mar. 20, 2023).
[2] “Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs.” https://www.recordedfuture.com/bluealpha-iranian-apts (accessed Mar. 20, 2023).
[3] “Advisory: Turla group exploits Iranian APT to expand coverage of victims.” https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims (accessed Mar. 20, 2023).
[4] “Swallowing the Snake’s Tail: Tracking Turla Infrastructure.” https://www.recordedfuture.com/turla-apt-infrastructure (accessed Mar. 20, 2023).
[5] “Turla, Waterbug, Venomous Bear — Threat Group Cards: A Threat Actor Encyclopedia.” https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Turla%2C%20Waterbug%2C%20Venomous%20Bear&n=1 (accessed Mar. 20, 2023).
[6] “Russia’s FSB malign activity: factsheet,” GOV.UK. https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet (accessed Mar. 20, 2023).
[7] “Russian Attackers Used Iranian Infrastructure and Tools Against Multiple Targets,” Decipher, Oct. 21, 2019. https://duo.com/decipher/russian-attackers-used-iranian-infrastructure-and-tools-against-multiple-targets (accessed Mar. 20, 2023).
[8] “Russian Hackers Use Iranian Threat Group’s Tools, Servers as Cover,” BleepingComputer. https://www.bleepingcomputer.com/news/security/russian-hackers-use-iranian-threat-groups-tools-servers-as-cover/ (accessed Mar. 20, 2023).
[9] “NCSC exposes Iranian, Russian spear-phishing campaign targeting UK | Computer Weekly,” ComputerWeekly.com. https://www.computerweekly.com/news/252529571/NCSC-exposes-Iranian-Russian-spear-phishing-campaign-targeting-UK (accessed Mar. 20, 2023).
