Turla (Russia): US and UK officials have reported that Russian threat actor Turla has been piggybacking off the infrastructure put in place by Iranian threat actor APT34. By doing this, the group was able to disguise their attacks and trick victims into thinking APT34 was behind the attacks. Turla was originally accused by Estonian and Czech authorities of operating on behalf of the FSB, Russia’s main intelligence agency. Turla has allegedly been using Iranian tools to target over 20 different countries in the past 18 months. US and UK officials stated that there was no evidence of the two groups colluding in the attacks. Threat actors work in a crowded space and are bound to run into one another at some point. In this case, Russia found Iranian infrastructure, gained access to use it, and tried to pass itself off as Iran. Ultimately, it was discovered that Russia was behind the attacks and one official did state that eventually, all False Flag operations will be exposed. By having access to the Iranian infrastructure, Turla was able to take control of their command and control servers and deploy their malware from there, masking the attacks they were carrying out. Turla also gained access to APT34’s victims’ networks and had access to Iranian malware builders to create malware that could be passed off as Iranian code
Analyst Notes
Attacks like these are perfect examples of why people should not be quick to accuse one particular threat actor of an attack. All of the information about the attack must be gathered and analyzed before anyone can be accused. False Flag operations are not a new concept and are used by many different threat actors, including those in the West to collect intelligence in what they call “fourth party collection.” In this instance, Turla made all these attacks in the past 18 months appear as Iran–fueling the geopolitical situation between Iran and the rest of the world. Companies that experience attacks that they believe could be attributed to a nation-state are encouraged to report their findings to appropriate government officials. In the United States, the FBI is the lead agency responsible for investigating nation-state cyber-attacks. Sharing threat information with both government and private sector security companies can help others detect and defend against serious threats.
