Collaborating Authors

Suspected Russian hackers disguised as Iranian spies attacked more than 35 countries, security officials say

FOX News

Fox News Flash top headlines for Oct. 22 are here. Check out what's clicking on A suspected Russian hacking group disguised as Iranian spies attacked more than 35 countries, U.S. and U.K. security officials said Monday. The group Turla, also known as Waterbug and VENOMOUS BEAR, used a variety of Iranian tools and infrastructure to hack into "government, military, technology, energy and commercial organizations" in order to steal intelligence from dozens of countries, the U.K. National Cyber Security Center (NCSC) and National Security Agency (NSA) said in a joint report. The majority of the vulnerable nations were primarily in the Middle East, NCSC said.

Russia's elite hacking unit has been silent, but busy


Turla, one of the codenames given by the cyber-security industry to one of Russia's oldest and most "talented" cyber-espionage unit, has been very active in the past three years, even though their operations have not received the same media coverage of other more flashy Russian hacking outfits. According to new research presented yesterday at the Virus Bulletin security conference held in Montreal, Canada, the group has been behind dozens of hacks around the world, operating with revamped malware and a tendency towards runtime scripting and the usage of open source tools. "Turla was absent from the milestone DNC hack event where Sofacy [APT28] and CozyDuke [APT29] were both present, but Turla was quietly active around the globe on other projects," said Kaspersky's GReAT team in a report published shortly after the presentation. But while APT28 and APT29's loudmouth dissemination of the DNC hacked data has led to public inquiries into their ties to Russian intelligence agencies --which eventually led to several public indictments [1, 2, 3]-- Turla has remained the same mystery as it always was. Considered by many to be Russia's elite hacking unit, Turla is believed to have ties to Moonlight Maze, one of the first government-backed hacking operations ever discovered, back in the 90s.

Russia-linked group likely used Iranian hacking tools, NSA says

The Japan Times

WASHINGTON – A Russia-linked group is believed to have utilized Iranian tools to conduct cyberattacks against dozens of countries, in an apparent effort to mask their identities, according to joint advisories by the U.S. and the U.K. The group, known as Turla, used tools from suspected Iran-based hacking groups and deployed them against old and new targets. In order to acquire the tools, Turla "comprised the suspected Iran-based hacking groups themselves," according to the U.S. National Security Agency and the U.K.'s National Cyber Security Centre, which released the advisories on Monday. The original owners of the tools "were almost certainly not aware of, or complicit with, Turla's use of their implants," the agencies said. The attacks, against more than 35 countries, would appear to the victims as coming from Iran. "We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them," said Paul Chichester, director of operations for the U.K. cyber agency, in one of the advisories.

Turla Mosquito Hacker Group shift to Open Source Malware


Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor. While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor. "In the past, we have seen the group using open-source password dumpers such as Mimikatz," ESET Research said in a blog post. "However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper." The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.

Russian hacker group use HTTP status codes to control malware implants


Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly. Security researchers from Kaspersky have identified a new version of the COMpfun malware that controls infected hosts using a mechanism that relies on HTTP status codes. The malware has been first spotted last year, in November, and has been deployed in attacks against diplomatic entities across Europe. Responsible for the attacks is a group known as Turla, a state-sponsored Russian threat actor that has historically engaged in cyber-espionage operations.