The group Turla, also known as Waterbug and VENOMOUS BEAR, used a variety of Iranian tools and infrastructure to hack into “government, military, technology, energy and commercial organizations” in order to steal intelligence from dozens of countries, the U.K. National Cyber Security Center (NCSC) and National Security Agency (NSA) said in a joint report.
The majority of the vulnerable nations were primarily in the Middle East, NCSC said.
“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla group being behind this campaign,” said NCSC Director of Operations Paul Chichester. “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them.”
“Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” he added.
NCSC said documents, including those from governments, were stolen from the various countries.
“Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus.’ In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups themselves,” the center pointed out.
“After acquiring the tools — and the data needed to use them operationally — Turla first tested them against victims they had already compromised […] and then deployed the Iranian tools directly to additional victims,” according to the report. “Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold.”
Turla is a known hacking group that targets several different types of organizations, NCSC said.