Espionage group hijacks rival's infrastructure

By Dylan Bushell-Embling
Tuesday, 25 June, 2019

Symantec security researchers believe that they have observed for the first time a cyber espionage group hijack the infrastructure of another espionage group.

The researchers have been tracking the activity of the Waterbug (otherwise known as Turla) espionage group, which has continued to attack governments and international organisations over the past 18 months.

During one attack against a Middle Eastern target, Waterbug appeared to hijack the infrastructure from the separate Crambus group and used it to deliver malware on the victim’s network. Media reports have linked Waterbug with the Russian government and Crambus with Iran.

“While it is possible that the two groups may have been collaborating, Symantec has found no further evidence to support this,” Symantec’s DeepSight Adversary Intelligence Team said in a blog post.

“In all likelihood, Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover. Curiously, though, Waterbug also compromised other computers on the victim’s network using its own infrastructure.”

Symantec said the incident leaves a number of unanswered questions about Waterbug’s motive for hijacking Crambus infrastructure.

The blog post lists several possibilities, including a potential false flag operation or the possibility that Waterbug attackers discovered the Crambus intrusion while preparing the attack and using it as a means to an end for gaining access while sowing confusion among investigators.

Waterbug’s attacks over the 18 months can be divided into three campaigns and have had targets in South America, Europe, the Middle East, South and South East Asia. Since early 2018, Waterbug has attacked 13 organisations across 10 different countries.

“Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets,” the blog post states.

“Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape.”

Image credit: ©stock.adobe.com/au/ArtemSam

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.