View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Russian Cyber Hackers Hit Iranian Rival as they Target Middle Eastern Government Computers

Eighteen months of campaigns featured a rapidly evolving tool-set

By CBR Staff Writer

Cyber confusion reigns as threat groups with state ties get down with a bit of not-so-friendly fire in attacking the infrastructure of a Middle Eastern government.

Researchers at Symantec believe that a Russian-speaking hacker group hijacked the infrastructure of their Iranian rival Crambus (aka OilRig) in 2018.

During this attack the hacker group known as Waterbug (aka Turla) dropped malware onto computers that Crambus had captured. This malware was communicating back to known Waterbug C&C servers. The order in which Symantec believes this unique event happened is that first Crambus hacked and took control of sections of the computer infrastructure of an as-yet unnamed Middle Eastern government.

Potentially sensing an opportunity to gain added network power and to stick one into a rival the Waterbug threat group dropped a task scheduler called msfgi.exe onto a computer in Crambus network. The very next day they used Mimikatz to move horizontally across the network.

The Mimikatz hacking tool was deployed onto Crambus’ network in early 2018. “Mimikatz was downloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner tool have been publicly tied to Crambus by a number of vendors,” Symantec researchers note in its report.

The particular variant of Mimikatz used in the attack actually ties it to the Waterbug group as they have heavily modified it by rewriting nearly all of the original code, with the exception of the sekurlsa::logonpasswords credential stealing feature.

Russian Cyber Hackers WaterBug Previous Activity

If this is one threat group taking over another’s infrastructure, it marks an interesting escalation in tactics and demarcates the growing sophistication of the Russian threat group Waterbug.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Russian Cyber Hackers

Since early 2018 Waterbug have been linked to an array of attacks targeting organisations in 10 different countries. This includes the Ministry of Foreign Affairs across three continents, an ICT organization in the middle-east, as well as an educational institution in south Asia.

Tracking these attacks researchers have noted that the group is getting more sophisticated and are deploying new weapons throughout the year. These new tools include a custom hacking tool that combines four previously leaked hacking tools, EternalBlue, EternalRomance, DoublePulsar and SMBTouch all into one executable.

They are also using visual basic scripts that preform system reconnaissance after an attack that sends data back to controlled servers.

Symantec notes that PowerShell attacks are still popular as the group uses: “PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs.”

Motive for Cross Attack

What exactly is happening between these two hacker groups, that have ties back to state actors, is still unclear. Symantec found that the whole affair gets a bit messy as a legitimate systems administration tool named IntelliAdmin suddenly appeared in Crambus’ network. It appears to have been dropped in by Waterbug backdoors onto computers that had not been compromised by Crambus.

Some believe that this is a false flag operation intended to sow confuson and throw researchers and the cyber defense community off its game.

One scenario Symantec has put forward is that Waterbug were gearing up to attack the Middle Eastern government systems itself, but after a recon showed that Crambus had already started a similar attack, it was just easier to take over its network which also gave them access to the government systems.

While Symantec still has a host of unanswered questions it notes that: “Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape.”

See Also: PC Doctor Plays Down Vulnerability that Affects “100 Million” PCs

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.