British spooks expose Russian-based cyber hacking gang masquerading as Iranian crooks after they targeted a UK academic organisation
- National Cyber Security Centre spent more than 18 months probing Turla group
- The terror group routinely targets governments and commercial organisations
- Members hijacked the Iranian hacking group APT34 to attack 35 countries
British spooks have exposed a Russian-based cyber hacking gang masquerading as Iranian crooks after they targeted an academic organisation in the UK.
The National Cyber Security Centre (NCSC) spent more than 18 months investigating the Turla terror group – which routinely targets governments, the military, technology, energy and commercial organisations to collect intelligence – after an unnamed ‘UK academic organisation’ was compromised.
The NCSC, part of the Government Communications Headquarters, said Turla hijacked an alleged state-backed Iranian hacking group, known as OilRig or APT34, to subsequently carry out attacks on 35 countries, the majority of which were in the Middle East.
UK intelligence has exposed a Russian-based hacking group that hijacked APT34 to carry out cyber attacks in 35 countries (file photo)
Paul Chichester, the NCSC’s director of operations, said: ‘This has been a many months-long investigation, because we wanted to unpick and unpack what was going on between these two actors.
‘We saw Turla doing more development work and seeing APT34 as a target. Turla then sought to compromise the operational platforms that APT34 used themselves. It is where the APT34’s crown jewels are.’
Mr Chichester said exposing Turla was significant because of the new method of its espionage.
In a briefing to journalists, he said: ‘We want to call out this behaviour and share the knowledge.
Spooks at GCHQ (pictured, the headquarters in Cheltenham) have exposed a terror group that was masquerading as Iranian crooks
‘This is more assessment than fact – I think initially it looked more like an attempt to see how far they could go. That has given them, over time, a range of capabilities should they choose to do it. This is a real change in the modus operandi of a cyber attack.’
The UK-based cyber security experts, who worked in collaboration with their US counterparts, said Turla’s intention was to masquerade as an adversary that victims might more likely think would target them.
It meant there was the potential for some cyber attacks to be mis-attributed to APT34, rather than Turla.
He said there was no evidence to believe that Iran was complicit in the cyberhack, nor was there any evidence of collusion.
‘This is a group of opportunists being inventive – we have got no evidence to suggest this is a politically led campaign,’ he said.
‘We have never seen these done to the significance it has been done here, it is unique in its complexity.
‘It is not linked to a broader Russian campaign, we’re calling it out because it is a new technique. There is not enough known about this in the public domain.’
He said members of the public would not be affected by the cyberhack, but said the NCSC wanted to share the success of the operation ‘so targets can better defend themselves’.