Turla VS Oilrig: when APTs clash

Russian APT uses then abuses Iranian APT tools and infrastructure


Turla background

Turla (Venomous Bear, KRYPTON, WATERBUG) is a Russian APT operating since approximately 2005 who use spear phishing and watering hole campaigns and develop tools and malware. The group is believed to be supported by the Russian government and is famous for using the complex Snake rootkit* which was used to target mostly NATO nations.


The development of Turla’s techniques

Recent articles report the use of many new tools that show the group diversified their techniques after the Snake rootkit. Examples of malicious campaigns reported online are:


  • Use of a new backdoor called LightNeuron by Kaspersky (called Neptun by Symantec) designed to attack Microsoft Exchange email servers and use steganography to hide commands inside a PDF or jpeg file. Reports indicate that it is able to read and modify any email going through the mail server and write and send new emails and block chosen emails.


  • Use of a Remote Procedure Call backdoor which can use code from the public PowerShellRunner to execute weaponized PowerShell scripts without using the powershell exe. This method uses in-memory loading and execution of malware so avoids detection by antimalware products.


In the last two years Turla has been accused of using tools called Neuron (and later Neuron2). These tools are designed also to attack Microsoft Windows platforms and they target servers with the aim of persistent access to the network and the possibility of compromising the networks to gain intelligence and for this reason they have a similar function to the Neptun (LightNeuron) malware. The Neuron tool has been used mostly against victims in the Middle East including government and military and universities which are the typical targets of cyberattacks. Analysis reveals that many of the victims of the Neuron tool were previously victims of the older Snake malware and for this reason it is possible that Turla targeted people that were previously compromised by the first malware as a method to test if the newer Neuron tool works.


The hijacking of Iranian APT infrastructure

An interesting development was recorded by investigators who found that the malware victims were sometimes attacked from Turla infrastructure but sometimes the Turla implants were deployed from infrastructure linked to the Oilrig Iranian cyber group (APT34, Crambus). It seems that in 2017 and 2018 Turla hijacked infrastructure of the Iranian APT for a campaign that used the Iranian Powruner tool and the Poison Frog control panel to deliver malware. It is likely that this use of Iranian infrastructure was performed without the permission of Oilrig but it is true that the Iranian APT could have seen the Turla activity as it happened if they had been watching.


Although Turla might have used the Iranian infrastructure to reduce their work it is surprising that an advanced cyber group did not hide their technical footprint. The reason that Turla did not hide their footprint is unknown and it could be that the group wants to confuse investigators and does not care if they compromise the Iranian APT in the process. There are stories about chinese and russian APT conflicts and accidental collisions between two north korean APTs but we believe this is the first time that one APT has used the tools and accesses of another APT for malicious use.


It was also observed that once Turla had hijacked the Oilrig infrastructure the group scanned for Iranian backdoor ASPX webshells which demonstrate that Turla were interested in where the Iranian tools had been used and demonstrates again the secretive behavior that indicates that the Iranian APT was not aware of Turla’s activities.


All the behavior and activities by Turla indicates that the Neuron tool was developed by the Iranian APT and was used by the russian group for their objectives.



Friendly fire

Recent reports show that when using the APT34 Poison Frog control panel the Turla group deployed their own russian version of an implant against the Oilrig infrastructure to exfiltrate data. The use of this implant allows Turla to understand everything about the identity of the Oilrig victims and without doing any hard work Turla can now use the tools that were developed by the Iranians.


International cyber cooperation?

Oilrig will think that they have been the victims of unprovoked actions by Turla and will be angry that their own tools and victim lists have been compromised. For this reasons this is likely to end cyber cooperation between the russians and iranians.


Also there are rumors online that members of Turla have tried to sell source code from Oilrig hacking tools. The sale of Oilrig source code has not been confirmed by ICNA but if it is true it is a certain dagger in the back.





A rootkit is a set of tools that enables unauthorized and concealed access to a computer system.

RPC is a protocol using the client-server model to allow one program (client) to request a service from a different programe located on another computer. This means that a procedure can be executed in a different address space for example on another computer instead of locally.

Microsoft PowerShell is a scripting language used to configure systems and to automate administration tasks.

A webshell is a script that can install onto a web server if a vulnerability is detected and allows remote access to that web server through a web browser because the web browser behaves like a command line interface. The ASPX webshell is a webshell that is written in ASP language and this can be used to harvest and exfiltrate sensitive data and credentials or upload malware.

Leave a Reply

Your email address will not be published. Required fields are marked *