LONDON/WASHINGTON—Russian hackers piggy-backed on an Iranian cyber-espionage operation to attack government and industry organizations in dozens of countries. They were masquerading as attackers from the Islamic Republic, British and U.S. officials said on Monday.

The Russian group is known as “Turla.” Estonian and Czech authorities accuse it of operating on behalf of Russias FSB security service. Turla has used Iranian tools and computer infrastructure to successfully hack into organizations in at least 20 different countries over the last 18 months, British security officials said.

The hacking campaign, the extent of which has not been previously revealed, was most active in the Middle East but also targeted organizations in Britain, they said.

Paul Chichester is a senior official at Britains National Cyber Security Centre (GCHQ) intelligence agency. He said the operation shows state-backed hackers are working in a “very crowded space.” They are developing new attacks and methods to cover their tracks better.

In a statement accompanying a joint advisory with the U.S. National Security Agency (NSA), GCHQ said it wanted to raise industry awareness about the activity and make attacks more difficult for its adversaries.

“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” said Chichester, who serves as the NCSCs director of operations.

Officials in Russia and Iran did not immediately respond to requests for comment sent on Sunday. Moscow and Tehran have both repeatedly denied Western allegations over hacking.

Global Hacking Campaigns

Western officials rank Russia and Iran as two of the most dangerous threats in cyberspace, alongside China and North Korea, with both governments accused of conducting hacking operations against countries around the world.

Intelligence officials said there was no evidence of collusion between Turla and its Iranian victim, a hacking group known as “APT34,” which cybersecurity researchers at firms including FireEye https://www.fireeye.com/current-threats/apt-groups.html say works for the Iranian government.

Rather, the Russian hackers infiltrated the Iranian groups infrastructure to “masquerade as an adversary which victims would expect to target them,” said GCHQs Chichester.

Turlas actions show the dangers of wrongly attributing cyberattacks, British officials said. They added they were unaware of any public incidents incorrectly blamed on Iran as a result of the Russian operation, though.

“Our main intent right here is to point out that theres a lot of false flagging going on out there, and we want to make sure the national security systems that were trying to defend are aware,” said Doug Cress. He is a division chief within the NSAs newly formed Cybersecurity Directorate.

The United States and its Western allies have also used foreign cyberattacks to facilitate their spying operations. Its a practice referred to as “fourth party collection,” according to documents released by former U.S. intelligenceRead More – Source