The National Security Agency (NSA) and UK’s National Cyber Security Centre (NCSC) released a joint statement that the Russian threat actor group, Turla compromised the infrastructure of an Iranian threat group to launch cyberattacks on various countries.
The detailed picture
According to the advisory, Turla, also known as Waterbug, Snake, WhiteBear, and VENOMOUS BEAR, has hijacked the C&C infrastructure from an Iranian APT group to attack targets from dozens of countries.
A report from Symantec stated that Turla was observed spreading its own malware via a Poison Frog panel, which is attributed to Iran-sponsored APT34, also known as OilRig.
Using the Neuron and Nautilus tools, Turla has targeted a range of victims in the Middle East and other countries. Victims in this region include military, government entities, research organizations, and universities.
Turla APT has also used victim networks previously compromised using Snake to scan for servers infected with the ASPX shells in at least 35 countries, including Saudi Arabia, Kuwait, Qatar, and UAE.
“After acquiring the tools – and the data needed to use them operationally –Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims,” the advisory read.