Deception has always been part of the hacker playbook. But it’s one thing for intruders to hide their tracks, and another to adopt an invented identity, or even frame another country for a cyberattack. Russia’s hackers have done all of the above, and now gone one step further: In a series of espionage cases, they hijacked another country’s hacking infrastructure, and used it to spy on victims and deliver malware.
On Monday, the NSA and Britain’s GCHQ published warnings that a Russian hacker group known as Turla or Waterbug has for years carried out a convoluted new form of espionage: It took over the servers of an Iranian hacker group known as OilRig, and used them to advance Russia’s aims.
While Symantec and other cybersecurity firms had spotted Turla’s piggybacking earlier this year, the US and UK intelligence agencies have now made clear the operation’s sheer scale. The Russian team spied on victims in 35 countries, all of whom might have believed on first inspection that the intruders were instead Iranian. “We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” reads the statement from Paul Chichester, the NCSC’s Director of Operations.
But while Turla was ultimately unmasked, the operation adds a new dimension of uncertainty for digital investigators. More broadly, it shows the fast-evolving nature of how hackers hide behind false flags. Just a few years ago they were wearing clumsy masks; now they can practically wear another group’s identity as a second skin. And while other countries have dabbled in the practice—North Korea famously hacked Sony Pictures under the moniker “Guardians of Peace”—no one has pushed that progress more than the Russians.
“Their aggressive cyberactivity sits on a foundation of substantial experience in active measures,” says John Hultquist, director of intelligence analysis at threat intelligence firm FireEye. “There’s no question that they’re at the bleeding edge of the problem.”
Starting as early as 2014, Russian hackers have chosen from a seeming grab bag of disguises to create a layer of confusion. In May of that year, for instance, a group calling itself Cyber Berkut hacked Ukraine’s Central Election Commission in the midst of the country’s post-revolution election. “Berkut” is Ukrainian for “eagle,” and also the name of a police force that supported the pro-Russian regime in the revolution and killed more than a hundred protestors. The Cyber Berkut hackers posted a political message to the commission’s website under the guise of activists accusing the Ukrainian government of corruption. They later planted an image on the commission’s web server that showed fake voting results on election day, putting the ultra-far-right candidate Dmytro Yarosh in the lead.
Though the commission managed to discover and delete the image before the voting results were released, Russian media ran with the fake tally nonetheless, hinting at collaboration between the hackers, Russian TV networks, and the Kremlin. Cyber Berkut was later revealed to be a front for the Russian military intelligence hacker group known as APT28 or Fancy Bear.
Over the following years, the GRU would repeat those false flag “hacktivist” attacks again and again. Hackers calling themselves Cyber Caliphate hit the French television station TV5Monde in 2015, destroying the station’s computers and posting a jihadi message on its website. The misdirection lead to immediate speculation that ISIS had perpetrated the attack, before the French intelligence agency ANSSI pinned it on the GRU. And in 2016, security firm Crowdstrike identified the GRU as the spy agency behind US-targeted false flag operation, this time the hacking of the Democratic National Committee and later Hillary Clinton’s presidential campaign. The Fancy Bear hackers responsible had hidden behind fronts like a Romanian hacktivist named Guccifer 2.0, and a whistleblowing site called DCLeaks that distributed the stolen documents.
By the end of 2016, GRU hackers began to shift their tactics. In December of that year, analysts at the Slovakian cybersecurity firm ESET noted that the GRU hackers they called Telebots, also known as Voodoo Bear or Sandworm, used both hacktivist and cybercriminal fronts in their data-destructive attacks on Ukrainian networks. In some cases, they found that wiped computers displayed a message that said “WE ARE FSOCIETY, JOIN US,” in a reference to anarchic hacktivists from the television show Mr. Robot. But in other incidents around the same time, ESET found the hackers demanded a bitcoin ransomware payment.