Russian Hackers Using Iranian APTs Infrastructure in Widespread Attacks

New advisory from the UKs NCSC and the NSA throws fresh light on activity first revealed by Symantec in June.

A new report from the United Kingdoms National Cyber Security Center (NCSC) shows that the Russia-backed cyber espionage group Turla has carried out more attacks than previously thought using infrastructure and malware hijacked from Iranian threat group APT34.
The NCSC recently analyzed data pertaining to Turlas use of three malware tools — Neuron, Nautilus, and an ASPX-based backdoor — in attacks targeted at UK organizations. The tools are designed for attackers to steal data and maintain persistence on Windows networks.
The NCSC has
previously noted
Turlas use of these tools in intelligence-gathering operations targeting organizations in the technology, military, energy, and government sectors. But it had not until now connected the tools to APT34 (aka OilRig, Crambus) - though Symantec did so in a
report
back in June.
In a joint advisory with the National Security Agency (NSA) published Monday, the NCSC said its analysis of the malware — based on data from multiple-sources — shows Neuron and Nautilus arevery likely Iranian in origin. The data shows that Turla not only hijacked APT34s tools but also its command and control infrastructure to deliver malware and additional payloads on compromised systems, the NCSC said.
Symantec in June reported that it had observed Waterbug (the security vendors name for Turla) using APT34s malware and infrastructure in one targeted attack against an organization in the Middle East. The NCSC and NSA advisory, however, makes clear the Russian threat group used APT34s malware and infrastructure in attacks on multiple targets, especially in the Middle East.
Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turlas use of their implants, the NCSC
said
. While Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently to further their own intelligence requirements.
This is believed to be the first publicly known instance of one state-backed APT group hijacking and using a rival nation-state actors attack infrastructure to expand victim targeting. Although this type of activity has been discussed as a hypothetical tactic within the cybersecurity industry, it has rarely been publicly identified as being used operationally, says Alexandrea Berninger, senior cyber intelligence analyst at Symantec.
Like the NCSC, Symantec has found no evidence that the Iranian threat group knew it had been compromised or that another group was using its attack infrastructure to target the same victims. The identification of Waterbug using Crambus infrastructure in our report in June was the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group, Berninger notes.
According to the NCSC, Turla used APT34s hijacked tools both on networks the latter had already compromised as well as on additional victim networks. The data showed that Turla scanned for networks across 35 countries, many in the Middle East, for the presence of the Iranian ASPX backdoor associated with APT34. When it found these networks, the threat group attempted to leverage APT34s hijacked malware and infrastructure to establish its own separate presence on the same networks.
In some instances, APT34 would first deploy its implant on a victim network - only to have Turla access it later. The Russian groups ability to remotely connect with APT34s malware tools and get the tools to execute commands suggests that Turla had access to relevant cryptographic keys and controllers belonging the Iranian group, NCSC said.
Somewhat ironically, even as APT34 was busy distributing its malware on target networks, Turla quietly deployed its own implants on the Irans groups APT infrastructure and used this to expand access into it.
More Attack Options
Avihai Ben Yossef, CTO of Cymulate, says Turlas strategy could provide the Russian group with more data and options to attack. Breaking into APT34 infrastructure could provide them with a network of already compromised machines or databases from which to build out attacks. This type of activity isnt at all common, as usually APT groups knows how to protect their infrastructure and data, he says.
Turla/Waterbug also may be using the stolen infrastructure to throw defenders and security, says Berninger. Turla/Waterbug has a history of false flag operations and deceptive tactics. So the groups takeover of another groups network would fit into that pattern, she says.
Alternatively, the data also suggests that the Russian threat actor may be using Crambus/APT34s infrastructure to gain initial access to a victim network. Waterbug is a sophisticated actor and likely has the capability to gain initial access via other means, Berninger notes.
But threat actors tend to be opportunistic. If they get a chance to break into a network without having to put the work into it, they are likely to take the opportunity. Gaining access to another APT groups infrastructure could provide Waterbug access to multiple victims they have interest in and would allow Waterbug to drop additional tools onto those networks to maintain access and execute their objectives, she says.
Turlas strategy of riding on Crambus back can complicate matters for targeted organizations, Berninger says. Because attribution becomes harder, defenders could end up deploying the wrong response to an attack, she notes.
Related Content:
Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server
Turla Threat Group Uses Email PDF Attachments to Control Stealthy Backdoor
APT34 Toolset, Victim Data Leaked via Telegram
8 Legit Tools and Utilities That Cybercriminals Commonly Misuse
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for
more information
and, to register,
here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russian Hackers Using Iranian APTs Infrastructure in Widespread Attacks