A Russian group hacked itself by an Iranian hacking group for espionage in multiple countries, the UK and US intelligence agencies have revealed. The Iranian group – codenamed OilRig – conducted the operation through a Russian-based group known as Tella. A National Cyber Security Center (NCSC) investigation into the attacks on a UK academic institute, which began in the 21st century, revealed double-dealing.
The NCSC discovered that the attack on the organization was carried out by the Russian Turla Group, which they realized had been scanning the capabilities and equipment used by Iran-based OilRag. In the months that followed the investigation, it became clear that the Russian group had targeted the Iran-based group and used its data and access to compromise data collection and more systems.
Attacks were searched against more than 35 countries, most of them suffering in the Middle East. At least 20 were successfully compromised. The ambition was to steal privacy, and the documents were taken from several targets, including the government. Detectives said that both Turla were holding information that the Iranians were stealing but were conducting their own activities using Iranian access and then hoped it would hide their tracks.
Victims may have assumed that the real culprit was in Russia when they were compromised by Iran-based groups. There is no evidence that Iran was critical or aware of Russia’s use of their access, or that the operation was intended to exacerbate tensions between the countries, but was a symptom of the increasingly complex world of cyber operations.
“It’s becoming a very crowded place,” explained Paul Chichester, director of operations at the intelligence agency GCHQ’s security force NCSC. He added that he had never seen such a sophisticated attack before. It has been separately leaked that the US and UK have the same powers.
Mr Chichester said he would not describe the Russian hack attack as a “false flag” because it was not a deliberate attempt to frame someone else. The NCSCO will not directly blame the Russian and Iranian states for the attacks, but Turlake has previously linked the Russian Security Service, FSB and Telorig with the Iranian state.
‘We can identify them’
The investigation was originally from the UK but details have been jointly disclosed by the NCSC and the US NSA. In June, private security company Symantec created a report of a Turla negotiating with another spy group. Mr Chichester said that the purpose of publishing the details was to help others identify and defend these activities. “We want to send a clear message that even when cyber-actors want to print their identities, our ability is a match for them and we can identify them,” he said. How the two groups will respond to this exposure is not something that officials can predict.