Hacking the hackers! When to fall into the (cyber) canvas is the spider itself ...

(To Ciro Metuarata)
06/11/19

In previous articles, cyber-space has often been represented as the far west in which classic western movies are set, that is, as a reality totally devoid of rules, in which ruthless and unscrupulous bandits reap victims who are completely unable to defend themselves. In particular, groups of cybercriminals, more or less sponsored by sovereign states, rage in the cyber dimension to the detriment of ordinary citizens, as well as governments or private organizations and industries, also enriching themselves with dizzying loot.

This cybernetic panorama of the "all against all" type does not escape the very "real" law of the strongest, which also applies to the aforementioned groups of cyber criminals, as shown by the following story. A story probably not unpublished, however emblematic of the moment in which we live, as it shows how far we can push the struggle for the dominance of the cybernetic space and above all the struggle for the post of the most precious information that it contains. A struggle, as we shall see, without quarter and without rules ...

On 21 October, the British National Cyber ​​Security Center (NCSC), in collaboration with the US National Security Agency (NSA), issued a security bulletin in which two groups of hackers specialized in Advanced Persistent Threat (APT - very sophisticated cyber attacks, protracted over time and aimed at gathering information) believed to be linked to two nations.

Specifically, bearing in mind what was highlighted in the previous articles on the ability to attribute the origin of cyber attacks, it is the group known as Turla (or WhiteBear / WaterBug / Venomous Bear), which would somehow serve the Russian government and the APT 34 group (also known as OilRig Crambus) that, instead, would be in the pay of the Islamic Republic of Iran. For both groups there is sufficient evidence to suggest that they have access to material and intellectual resources that are typically available exclusively to sovereign states and operate globally, even if APT 34 is more oriented to carry out operations in the Middle East.

Just in this region, in the past few days, the NCSC has detected a wave of very particular cyber attacks. In summary, Turla allegedly took control of an IT infrastructure created by APT 34 to conduct its illicit activities, mainly intelligence, to the detriment of military and governmental organizations, industries and banks, operating in the aforementioned region and of particular interest to Iran. According to the evidence gathered, by accessing the servers used by the Iranian group, Turla he would have been able to control the entire network of computers, smartphones and who knows what else, compromises in the previous months by APT 34.

This involved at least four direct consequences:
WINETurla would have obtained with a single move the access to all the intelligence data collected by APT 34, or to a priceless heritage, obtained from Iran thanks to a transaction that lasted months, if not years and that certainly required investments not negligible. Nice Shot!
SecondTurla it would have used the command and control infrastructure built by APT 34 in order to launch further attacks and compromise other devices, using its own techniques and software. Apparently, the attacks would have been successful and would have affected some thirty-five nations, mostly located in the Middle East. Another great result.
Third. "The king is naked", ie the techniques and computer vulnerabilities exploited by APT 34 would no longer have secrets for Turla and for its principal and later they could be employed adapting them for the purposes of the Russian group and these would be able to defend themselves from any retaliation by APT 34. Congratulations again.
Wednesday. Chaos. It is known that, especially in the last period, the Middle East, affected by this affair, is also a crossroads of international crises, both regional and of potential global significance. In this delicate context, after the publication of the NCSC bulletin, the Western press was quick to point the finger at the Russian government which, in turn, categorically denying any involvement, accused the West of having hatched a cunning plan of deception, in order to undermine the excellent collaboration relations established between the Russian Federation and Iran, for the resolution of the crises currently underway in the aforementioned region.

In short, a nice puzzle, which once again demonstrates how cyber capabilities, like other "traditional" military capabilities, can be used by governments to impose their respective foreign policy agendas.

Beyond the techniques used by Turla and reported in the NCSC bulletin and in subsequent research on the subject, certainly very interesting for the experts (and work there!), this story should make us reflect, once again, on the reality we are experiencing and on how to deal with it.

Considering that the cyber far west will remain so for a long time to come, given that no supranational organization intends or is able to impose serious regulation, we should ask ourselves: should we continue to limit ourselves to turning laws on "zero-cost" laws and to play on the defensive or, rather, should we equip ourselves with concrete national cyber offensive skills, such as to act as a deterrent?

In a world where even the most skilled spider can end up in its web and succumb, how can a defenseless "gnat" survive?

The survival of our nation is at stake, at least as we know it today, but the impression is that in our beloved country there are still many who have not understood the danger we are running and, indeed, consider these discourses to be too alarming. We hope they are right. Let's hope.

Main sources:
https://www.2-spyware.com/iranian-hacking-tools-hijacked-by-turla-group-...
https://attack.mitre.org/groups/G0010/
https://www.fireeye.com/current-threats/apt-groups.html#apt34
https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-cov...
https://nationalcybersecurity.com/hacking-russia-dismisses-hacking-repor...