We all enjoyed a front row seat Monday to a special event in the history of public attribution: the NSA and GCHQ (via NCSC UK) revealed that the Russian adversary Turla not only compromised the tooling and infrastructure of Iranian adversary OilRig but then leveraged said tooling and infrastructure to conduct it’s own operations. Offhand, I cannot recall another time Western government agencies have exposed this particular flavor of cyber activity. And while there is much to digest — from how these tools that were so Turla-esque were in fact Iranian to the implications of Turla actually masquerading as OilRig during operations to claims of “here is an example of why attribution matters as a contributing deterrence mechanism” — the discussion I’ve seen has focused almost entirely on cyber-versus-cyber elements such as these.
There is more here, if we just remember that these are intelligence agencies. And intelligence agencies get up to all sorts of things.
Consider the extent to which Turla is described as compromising OilRig. To my eye, this is more than swimming up somebody else’s infrastructure with a set of weakly secured credentials. This is one actor not only identifying and lifting upper-tier tooling from another, but then fingerprinting and mapping the other’s infrastructure sufficiently to turn it into something scannable and (apparently) covertly compromise-able. These are achievements in and of themselves. To subsequently take that access and operationalize it to conduct targeted intrusions, that is an achievement further still.
NSA and GCHQ apparently were able to develop this complete picture. They did not do it by accident and they did not do it through open sources. This information, regardless of how elements of it may have become public through the ventures of others, was at some point insanely sensitive. And Monday, it was published for all of us to enjoy and admire.
But what more can we really do as defenders than admire it? Sure, this is fascinating to us as spectators-slash-sometime-players in the world of state-nexus cyber activity, but for us the defensive value of the material published is less in action than it is in context. Would NSA and GCHQ then burn their own knowledge of Turla’s expansive successes and OilRig’s unexpected sophistication just for us all to ooh and ahh over the intricacies of fourth- and fifth-party collection antics? Just to make sure we don’t say Tool X belongs to Adversary G rather than Adversary F? The short answer is they wouldn’t. They would’ve had an ulterior motive.
My theory? Monday was likely the last twist of the knife in an extended piece of offensive counterintelligence with both Russian and Iranian targets. At some point there must’ve been a trigger, whereupon it was decided by the authorities on both sides of the Atlantic that this information was no longer of value in its original purpose. That there were no further ways to exploit this knowledge aside from making it public. What the preceding manners of exploitation likely consisted of, I think it would be silly for me to speculate; the potential answers in the realms of counterintelligence and covert action are legion. But I am confident they must’ve occurred and they may even have extended all the way back to November 2017 or earlier. Furthermore, NSA and GCHQ would know that in burning these activities publicly, they are also providing an impetus — if not even limited leads — for the burned adversaries to conduct investigations into how all this was uncovered. It would be foolish, then, to think for a moment that these agencies would abandon such high ground unless they believed that they had truly squeezed every last drop of classified value of this information before letting it out into the open.
So in this theory, Monday was the “last possible use case” for them: cap off whatever shenanigans they got up to with burning both adversaries, send some subtle and not-so-subtle signals to same, reap the rewards of the community singing the value of attribution et al., move on. In that context of hard counterintelligence competition, it becomes eminently reasonable to suggest that the timing of this news is more important than the message.
And what interesting timing it is. Two months since OilRig’s more recent tactics, techniques, and procedures were publicly outed. Three months since knowledge of Turla’s ability to at least partially compromise OilRig was made public. Five months since extended leaks began on OilRig’s comparatively more pedestrian tooling. If you really think Monday’s news is only playing a serendipitous part in OilRig’s Terrible, Horrible, No Good, Very Bad Year, then I have a bridge in Brooklyn to sell you.
Acknowledgement: These thoughts, like the events described, didn’t develop in a vacuum. My thanks to those who shared their wisdom with me, as there is always more to learn.