Researchers from multiple security firms largely agree that Turla was behind breaches of the US Department of Defense in 2008, and more recently the German Foreign Office and France’s military.
Turla, Symantec believes, conducted a hostile takeover of an attack platform belonging to a competing hacking group called OilRig, which researchers at FireEye and other firms have linked to the Iranian government.
Symantec suspects Turla then used the hijacked network to attack a Middle Eastern government OilRig had already penetrated.
Not only would the breach of OilRig be an unprecedented hacking coup, it would also promise to make the already formidable job of attribution—the term given by researchers for using forensic evidence found in malware and servers to pin a hack on a specific group or nation—considerably harder.
“The fact that we’ve seen one advanced group taking over the infrastructure of another nation-backed group changes a lot of policy discussions that are going on, because it complicates attribution,” Jonathan Wrolstad, principal cyber intelligence analyst in Symantec’s Managed Adversary and Threat Intelligence group, told Ars.
Turla is also known as Snake, and Symantec calls it Waterbug.