The findings — based on a joint report by the US National Security Agency and the UK’s National Cyber Security Centre (NCSC) — reveal the focus of the activity was largely in the Middle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap. Named Turla (aka Snake, Uroburos, Waterbug, or Venomous Bear), the state-backed APT is believed to have infiltrated spyware tools such as Neuron and Nautilus — both of which are believed to be the handiwork of Iranian hackers — to further its own aims without their knowledge. “Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their implants,” the NCSC said. The report also confirms previous research from Symantec back in June, which found one of Turla’s attacks to involve the use of infrastructure belonging to Iranian espionage collective known as APT 34 (aka OilRig or Crambus). The fact that an Iranian hacking group was itself hacked by another group to spy on other countries and target more victims demonstrates the evolving sophistication of cyberattacks, not to mention the digital subterfuge employed by hackers to hide their tracks. Per the NCSC, Turla went on to use the Iranian operational infrastructure to deploy its own rootkit implants to gather information on victims, namely military establishments, government departments, scientific organisations, and universities. Aside from exploiting the Command and Control (C2) servers of Iranian APTs to deploy their own tools to victims of interest, the Kremlin-linked group focused its efforts on siphoning data off OilRig using keyloggers. “This access gave Turla unprecedented insight into the tactics, techniques and procedures (TTPs) of the Iranian APT, including lists of active victims and credentials for accessing their infrastructure, along with the code needed to build versions of tools such as Neuron for use entirely independently of Iranian C2 infrastructure,” the NCSC concluded.