Cybercriminals have their own ways of working. In what may be a very worrisome development for US and Europe, it seems Russian and Iranian cybercriminals have put together resources for a combined attack on 35 countries.
A joint report by the US' National Security Agency (NSA) and UK's National Cyber Security Centre (NCSC) has highlighted that Russian government piggybacked on hacking tools designed by Iranian groups to attack 35 countries at once.
The attack was mostly focused largely on the Middle East, targeting interests of both the US and Europe.
The software, which has been called Turla and is backed by the Russian state is believed to have infiltrated spyware tools such as Neuron and Nautilus – both of which have been designed by Iranian hackers. There is a twist though, both agencies claim that the Iranians were unaware of the development and don't seem to have coordinated with the Russians.
This is not the first time this has happened. Previously, antivirus software company Symantec found that Russian cyberattackers used an Iranian tool called APT34.
So basically, the Russians hacked the Iranians to further hack the US and Europe. This seems to be an attempt to create a subterfuge to hide their identities.
Turla first went into Iranian operational infrastructure to deploy its own rootkit implants. It used the infrastructure to gather information on victims, which included military establishments, government departments, scientific organisations and universities.
Turla exploited the Command and Control servers of the Iranian APTs to deploy its tools and siphon off data using keyloggers.
The exploit also seems to have taught the techniques, tactics and procedures of Iranian APTs to Russian software. The list of victims and credentials leaked is not yet known. They may have also learnt the coding needed for tools such as Neuron, which means that security agencies should prepare for more such attacks.
While the US and Europe use spyware to spy on their own citizens, there is no concerted effort for launching counter-attacks. Currently, only reports are published after an attack has taken place.