If nation-sponsored hacking was baseball, the Russian-speaking group called Turla would not just be a Major League team—it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of US Department at Defense in 2008, and more recently the German Foreign Office and France’s military. The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations.
Now, researchers with security firm Symantec have uncovered evidence of Turla doing something that would be a first for any nation-sponsored hacking group. Turla, Symantec believes, conducted a hostile takeover of an attack platform belonging to a competing hacking group called OilRig, which researchers at FireEye and other firms have linked to the Iranian government. Symantec suspects Turla then used the hijacked network to attack a Middle Eastern government OilRig had already penetrated. Not only would the breach of OilRig be an unprecedented hacking coup, it would also promise to make the already formidable job of attribution—the term researchers use for using forensic evidence found in malware and servers to pin a hack on a specific group or nation—considerably harder.
A murkier world
“The fact that we’ve seen one advanced group taking over the infrastructure of anther nation-backed group changes a lot of policy discussions that are going on because it complicates attribution,” Jonathan Wrolstad, principal cyber intelligence analyst in Symantec’s Managed Adversary and Threat Intelligence group, told Ars. “This does make us live in the world now that’s a bit murkier.”