There’s no guarantee that any state-sponsored hacking group can keep a tight grip on its own infrastructure, shows a new report from a cyber security firm Symantec. The researchers have uncovered evidence that Russian-speaking group known as Turla (other names Snake or Waterbug) conducted hostile takeover of servers belonging to a rival hacking group called OilRig (APT34, Crambus) previously linked by security experts to Iranian government.
The hijacking apparently took place in January 2018, when a variant of the credential-stealing tool Mimikatz was downloaded on a computer in a Middle Eastern government organization from a server previously controlled by OilRig. Mimikatz was downloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner tool have been publicly tied to OilRig by a number of researchers.
Symantec believes that the variant of Mimikatz used in this attack is unique to Turla, as it was extensively modified, with almost all original code stripped out. Turla is known for its use of heavily modified publicly available tools, something that is not a common practice for OilRig.
While it’s possible the two groups were collaborating, Symantec said it found no evidence to support that possibility. According to the report, the hijacking of the OilRig’s infrastructure is likely an opportunistic move for Turla and there is no evidence that Iranian group retaliated against the intruders.
As for the reasons behind the hijacking, there are several possible explanations: it could be a false flag tactics to throw investigators off the track, or it might be possible that Turla wanted to compromise the target organization, but found out that the place was taken, and instead hijacked the infrastructure as a means of gaining access, said the researchers. Also there is a possibility that the version of Mimikatz downloaded by the OilRig infrastructure was actually created by the Iranian APT, but this is highly unlikely considering the compilation technique and the fact that the only other occasion it was used was linked to Turla.
The takeover of OilRig’s server was part of a series of active operations carried out by Turla in the last year and half against 13 organizations in 10 different countries. The list of targeted entities include government ministries in Europe, Latin America, the Middle East, and South Asia, as well as organizations in the IT and education sector. In the recent campaigns the group has used “a swath of new tools”, including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools.