Russian hackers acquired Iranian tools and infrastructure to conduct attacks on dozens of countries, security officials in the UK and USA have revealed.

Advisories published by the UK’s National Cyber Security Centre (NCSC) and US National Security Agency (NSA) have shown that the group targeted victims and adopted techniques used by suspected Iran-based hacking groups.

Victims, the majority of whom were based in the Middle East, saw documents extracted from various sectors, including governments.

Turla used implants derived from the suspected Iran-based hacking groups’ previous campaigns, ‘Neuron’ and ‘Nautilus’. In order to acquire these tools and access the infrastructure, Turla also compromised the suspected Iran-based hacking groups themselves.

The attacks against more than 35 countries would appear to the victims to be Iranian in origin, but the NCSC revealed that this was not the case.

Interestingly, in some instances, it appeared that the implant had first been deployed by an IP address associated with an Iranian APT group, and then was later accessed from infrastructure associated with Turla, a suspected Russia-based group, suggesting Turla effectively took control of victims previously compromised by a different actor.

Turla, which is also known as Waterbug or VENOMOUS BEAR, regularly collects information by targeting government, military, technology, energy and commercial organisations.

Paul Chichester, a senior official at Britain’s GCHQ intelligence agency, said the operation shows state-backed hackers are working in a “very crowded space” and developing new attacks and methods to better cover their tracks.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” said Chichester, who serves as the NCSC’s director of operations.