Hacking the hackers: Russian group hijacked Iranian spying operation


Russian hackers piggy-backed on an Iranian cyber-espionage operation to attack government and industry organisations in dozens of countries masquerading as attackers from the Islamic Republic, British and US officials said.

The Russian group, known as “Turla” and accused by Estonian and Czech authorities of operating on behalf of Russia’s FSB security service, used Iranian tools and computer infrastructure to successfully hack organisations in at least 20 countries over the last 18 months, British security officials said.

The hacking campaign was most active in the Middle East and targeted organisations in Britain, they said.

Paul Chichester, a senior official at Britain’s GCHQ, said the operation showed state-backed hackers are working in a “crowded space” and developing new attacks and methods to better cover their tracks.

In a statement accompanying a joint advisory with the US National Security Agency (NSA), GCHQ’s National Cyber Security Centre said it wanted to raise industry awareness and make attacks more difficult for adversaries.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” said Chichester, NCSC director of operations.

Officials in Russia and Iran did not immediately respond to requests for comment. Moscow and Tehran repeatedly deny Western hacking allegations.


Western officials rank Russia and Iran as two of the most dangerous threats in cyberspace, alongside China and North Korea, with both governments accused of hacking operations against countries around the world.

Intelligence officials said there was no evidence of collusion between Turla and its Iranian victim, a hacking group known as “APT34” which cybersecurity researchers at firms including FireEye FEYE.O say works for the Iranian government.

Rather, Russian hackers infiltrated the Iranian group’s infrastructure to “masquerade as an adversary which victims would expect to target them,” said GCHQ’s Chichester.

Turla’s actions show the dangers of wrongly attributing cyberattacks, British officials said, adding they were not aware of public incidents incorrectly blamed on Iran as a result of the Russian operation.

The United States and its Western allies use foreign cyberattacks to facilitate their own spying operations, a practice referred to as “fourth party collection,” according to documents released by former US intelligence contractor Edward Snowden and reporting by German magazine Der Spiegel.

GCHQ declined to comment on Western operations.

By gaining access to Iranian infrastructure, Turla was able to use APT34’s “command and control” systems to deploy its own malicious code, GCHQ and the NSA said in a public advisory.

The Russian group was also able to access the networks of existing APT34 victims and access the code needed to build its own “Iranian” hacking tools.