Hacking the hackers: Russian group hijacked Iranian spying operation, officials say

Russianhackerspiggy-backed on anIraniancyber-espionageoperationto attack government and industry organizations in dozens of countries while masquerading as attackers from the Islamic Republic, British and USofficialssaid on Monday.

TheRussiangroup, known as "Turla" and accused by Estonian and Czech authorities of operating on behalf of Russia's FSB security service, has usedIraniantools and computer infrastructure to successfully hack into organizations in at least 20 different countries over the last 18 months, British securityofficialssaid.

Thehackingcampaign, the extent of which has not been previously revealed, was most active in the Middle East but also targeted organizations in Britain, they said.

Add WION as a Preferred Source

Paul Chichester, a senior official at Britain's GCHQ intelligence agency, said theoperationshows state-backedhackersare working in a "very crowded space" and developing new attacks and methods to better cover their tracks.

In a statement accompanying a joint advisory with the USNational Security Agency (NSA), GCHQ's National Cyber Security Centre said it wanted to raise industry awareness about the activity and make attacks more difficult for its adversaries.

"We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them," said Chichester, who serves as the NCSC's director ofoperations.

Officialsin Russia and Iran did not immediately respond to requests for comment sent on Sunday. Moscow and Tehran have both repeatedly denied Western allegations overhacking.

Westernofficialsrank Russia and Iran as two of the most dangerous threats in cyberspace, alongside China and North Korea, with both governments accused of conductinghackingoperations against countries around the world.

Intelligenceofficialssaid there was no evidence of collusion between Turla and itsIranianvictim, ahackinggroupknown as "APT34" which cybersecurity researchers at firms including FireEye FEYE.Osayworks for theIraniangovernment.

Rather, theRussianhackersinfiltrated theIraniangroup's infrastructure in order to "masquerade as an adversary which victims would expect to target them," said GCHQ's Chichester.

Turla's actions show the dangers of wrongly attributing cyberattacks, Britishofficialssaid but added that they were not aware of any public incidents that had been incorrectly blamed on Iran as a result of theRussianoperation.

The United States and its Western allies have also used foreign cyberattacks to facilitate their ownspyingoperations, a practice referred to as "fourth party collection," according to documents released by former U.S. intelligence contractor Edward Snowden and reporting by German magazine Der Spiegel.

GCHQ declined to comment on Westernoperations.

By gaining access to theIranianinfrastructure, Turla was able to use APT34's "command and control" systems to deploy its own malicious code, GCHQ and the NSA said in a public advisory.

TheRussiangroupwas also able to access the networks of existing APT34 victims and even access the code needed to build its own "Iranian"hackingtools.