Published on August 16th, 2019 📆 | 5690 Views ⚑0
Turla Espionage Group Hacks OilRig APT Infrastructure
Security researchers tracking activities of various nation-state cyber-espionage groups found evidence suggesting that the Turla group hijacked the infrastructure of OilRig hackers to compromise a target both actors were interested in.
Turla is a Russian-backed advanced threat actor also known by the names Waterbug, Snake, WhiteBear, VENOMOUS BEAR, and Kypton. It focuses on cyber-espionage, with a diverse set of victims, from the military and the government sector to education, research entities.
Also known by multiple names (Crambus, APT34, HelixKitten), OilRig is linked to the Iranian government and engages in the same type of espionage activities. Its victims are typically from government agencies and companies from the Middle East.
Custom malware betrayal
Over the past 18 months, Symantec observed three campaigns from Turla. In one of them, aimed at a victim in the Middle East, the Russian actor appears to have hijacked the infrastructure from Crambus espionage group and used it to compromise the target.
In a report today, the researchers say that while a collaboration between the two groups is possible, they did not find evidence supporting this theory.
One indication is the use of a custom variant of the Mimikatz – a post-exploitation tool for collecting passwords from the system memory – that was previously seen in attacks attributed to Turla.
The heavily modified variant of the utility stripped almost all the original code and preserved the password-stealing feature. While Turla is known for customizing publicly available tools, this is not something seen in Crambus operations.
Another detail supporting this opinion is the use of the same Mimikatz sample on a target in the UK two years ago. The tool was then dropped by a malware known to be developed by Waterbug.
Using OilRig to compromise the target
Symantec says that with the Middle East victim it was Crambus that first compromised it, as early as November 2017. The researchers noticed signs of Waterbug activity on January 11, 2018, when the group dropped one of its tools on the victim’s network.
A day later, the telltale Mimikatz version landed from a command and control (C2) server operated by the Crambus group. The computer infected this way did not present evidence that the Iranian hackers had compromised it.
At that point, some systems on the victim’s network were compromised by Crambus, while others were controlled by Waterbug.
Things got more complicated later when Symantec saw that a legitimate system administration tool called IntelliAdmin appeared on the target’s network. This utility was used by Crambus in past operations but this time it was added by a Waterbug backdoor.
Reasons for such an operation are many and one of them is that the Russian hacker used this modus operandi as a false flag, to throw investigators off track.
Another possibility is that they simply took advantage of an opportunity to gain access to their target. Documents leaked from OilRig operations revealed that the control panel for one of Crambus’ backdoors (Poison Frog) was vulnerable to takeover attacks.
Turla has a fresh toolset
While analyzing the three campaigns from Waterbug, Symantec observed new tools from the group. One of the is a backdoor called Neptune. Two new custom backdoors – a Remote Procedure Call (RPC) and another called ‘photobased.dll’, were also used in one attack in conjunction a modified version of the public tool Meterpreter.
In the third operation, the hackers used a different RPC backdoor, which included code from “the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe.”
The three Waterbug campaigns analyzed by Symantec are summarized in the infographic below: