Oct 21, 2019

Russia used Iranian hacker infrastructure and tools for espionage

Russian President Vladimir Putin and Iranian President Hassan Rouhani at a meeting in Armenia in early October. Photo: Mikhail Metzel/TASS via Getty Images

U.S. and U.K. intelligence agencies confirmed Monday that the Russian espionage hacker group Turla used tools and infrastructure from Iranian espionage group OilRig, likely without the Iranian group's knowledge.

Why it matters: Moves like this can sometimes confound efforts to understand who exactly has spied on what. And, by monitoring malware implanted by Iran, Turla saved itself the effort of hacking targets directly.

The backdrop: OilRig traditionally spies on Middle Eastern targets. Turla, whose operations are more global in nature, is only known by the NSA and NCSC to have used OilRig malware when spying on Middle Eastern targets.

Details: An investigation by the NSA and the U.K.'s lead cybersecurity intelligence agency details that malware that Turla has used since at least 2017 was "very likely Iranian in origin," according to a report released by the U.K.'s National Cyber Security Centre.

OilRig was "almost certainly not aware of, or complicit with, Turla’s use of their implants," according to the report.
More than just re-appropriating malware, it appears Turla piggy-backed on OilRig's control infrastructure and even used the malware implanted by the OilRig hackers to do its own espionage.
Turla's use of OilRig hacking infrastructure was first reported by Symantec in June.
The NSA and NCSC are the first to note that the malware tools Nautilus and Neuron, once thought to be from Turla, are actually from Iran.

The bottom line: In one fell swoop, the Western allies have left egg on the faces of both Iran and Russia, two key rivals in the cyber domain.

Go deeper

Joe Uchill

A hacker group of Chinese spies is stealing text messages

A hacker group linked to Chinese espionage is illicitly installing software at telecommunications companies to steal text messages from specific users and regarding specific topics, according to cybersecurity firm FireEye.

The big picture: While Chinese espionage is often linked to intellectual property theft, the targets in this case appear to be more linked to traditional espionage, including senior political and military figures and topics that could be of interest to Chinese policymakers.

Go deeperOct 31, 2019

Dave Lawler

Secret cables expose Iran's influence-building in Iraq at U.S. expense

A protester in Baghdad rejects U.S. and Iranian influence. Photo: Ameer Al Mohammedaw/picture alliance via Getty Images

Hundreds of secret Iranian intelligence cables obtained by the Intercept and shared with the New York Times "show how Iran, at nearly every turn, has outmaneuvered the United States in the contest for influence" in Iraq, per the Times.

Why it matters: Widespread protests in Iraq against corruption and poor government services have in some cases been spurred on by another grievance: Iranian influence over Iraqi politics. These documents, which date to 2014-2015, offer glimpses of how that influence was built and exercised — often at the expense of, and due to failures by, the U.S.

Go deeperNov 18, 2019

Rebecca Falconer

Iran to inject uranium gas in further break from nuclear deal

Iran's President Hassan Rouhani speaks at parliament in the capital Tehran. Photo: Atta Kenare/AFP via Getty Images

Iranian President Hassan Rouhani announced Tuesday Iran would "resume uranium enrichment" at its Fordow plant and begin injecting uranium gas into 1,044 centrifuges, Iranian state media reports.

Why it matters: The announcement coincided with the first anniversary of the Trump administration's "maximum pressure" campaign against Iran. Axios contributor Barak Ravid notes the announced plans are a substantial breach of Iran's nuclear deal.

Go deeperNov 5, 2019