UK SECURITY SERVICES EXPOSE RUSSIA-BASED HACKERS
Spooks have rumbled an alleged Russia-based group of cyber hackers masquerading as Iranian crooks after they targeted a UK-based victim.
The National Cyber Security Centre (NCSC) spent more than 18 months investigating the Turla terror group - which routinely targets governments, the military, technology, energy and commercial organisations to collect intelligence - after an unnamed "UK academic organisation" was compromised.
The NCSC, part of the Government Communications Headquarters, said Turla hijacked an alleged state-backed Iranian hacking group, known as OilRig or APT34, to subsequently carry out attacks on 35 countries, the majority of which were in the Middle East.
Paul Chichester, the NCSC's director of operations, said: "This has been a many months-long investigation, because we wanted to unpick and unpack what was going on between these two actors.
"We saw Turla doing more development work and seeing APT34 as a target.
"Turla then sought to compromise the operational platforms that APT34 used themselves.
"It is where the APT34's crown jewels are."
Mr Chichester said exposing Turla was significant because of the new method of its espionage.
In a briefing to journalists, he said: "We want to call out this behaviour and share the knowledge.
"This is more assessment than fact - I think initially it looked more like an attempt to see how far they could go.
"That has given them, over time, a range of capabilities should they choose to do it.
"This is a real change in the modus operandi of a cyber attack."
The UK-based cyber security experts, who worked in collaboration with their US counterparts, said Turla's intention was to masquerade as an adversary that victims might more likely think would target them.
It meant there was the potential for some cyber attacks to be mis-attributed to APT34, rather than Turla.
He said there was no evidence to believe that Iran was complicit in the cyberhack, nor was there any evidence of collusion.
He added: "This is a group of opportunists being inventive - we have got no evidence to suggest this is a politically led campaign.
"We have never seen these done to the significance it has been done here, it is unique in its complexity.
"It is not linked to a broader Russian campaign, we're calling it out because it is a new technique.
"There is not enough known about this in the public domain."
He said members of the public would not be affected by the cyberhack, but said the NCSC wanted to share the success of the operation "so targets can better defend themselves".
Published: by Radio NewsHub