Categories: SecurityWorkspace

Russian Cyber-Spies ‘Hijacked Iranian Attack Infrastructure’

A Russian hacking group sought to cover its tracks by hijacking tools and techniques used by Iranian hackers, an investigation by UK and US intelligence agencies has found.

The “piggybacking” activity by the Russian Turla group is “unique” in its level of “complexity and scale and sophistication”, said Paul Chichester, director of operations for the NCSC, which is part of GCHQ.

He said the activity goes beyond a “false flag” operation since it was not an attempt to deliberately frame someone else, but was rather an “opportunistic operation” that gave Turla information and access it wouldn’t otherwise have had.

Turla used tools hijacked from OilRig, a hacking group widely linked to the Iranian government, to carry out attacks on targets in more than 35 countries, leading to at least 20 successful compromises.


The attacks were aimed at stealing secrets, and documents were exfiltrated from organisations including governments, military establishments, scientific organisations and universities, mainly in the Middle East, the NCSC said.

The agency uncovered Turla’s activities as part of an investigation begun in 2017 into an attack on a UK academic institution.

OilRig is likely to have been unaware it was being impersonated, the NCSC said.

Chichester said the move “added to the sense of confusion” that surrounds linking a given attack to a particular group of hackers.

He told reporters the NCSC and the US’ NSA were publicising their findings in order to help others to be able to understand what was happening.


Chichester said Turla initially monitored an Iranian attack closely enough to use the same vulnerability and gain access to the same intelligence.

The Russian group then progressed to carrying out attacks using OilRig’s own command-and-control infrastructure and software.

Turla, which has previously been linked to Russia’s FSB, may now be able to hijack infrastructure used by other state-sponsored groups, Chichester said.

“This is becoming a very crowded space and we do see people innovate quite rapidly in that domain,” he said.

Last year US intelligence agencies said Russian attackers had attempted to disrupt the Winter Olympics in Pyeongchang using attack code associated with North Korea’s Lazarus Group.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Criticised For App User Tracking Alert

Plan for iOS 14 to give app users the option to decline ad tracking has…

2 days ago

UK Government To Acquire £400 Million Stake In OneWeb

Watch out SpaceX's Elon Musk? British government and Bharti Global announce deal to acquire satellite…

2 days ago

Mark Zuckerberg Says Advertisers Will Be Back ‘Soon Enough’

What boycott? Facebook's boss Mark Zuckerberg dismisses growing advertiser boycott of the platform over its…

2 days ago

Police ‘Crack’ EncroChat Encryption, Resulting In Hundreds Of Arrests

Organised crime around Europe has been dealt a huge blow after authorities cracked the encryption…

3 days ago

Coronavirus: Apple Closes More Stores In US

As Coronavirus infections rise in the United States, Apple continues to close down more of…

3 days ago

The Shape Of IT In A Post COVID-19 World

Global IT spend is projected to contract 8% in 2020, according to Gartner. Gartner expects…

3 days ago