{"id":27397,"date":"2019-06-20T17:00:59","date_gmt":"2019-06-20T17:00:59","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/30255\/Nation-Sponsored-Hackers-Likely-Carried-Out-Hostile-Takeover-Of-Rival-Groups-Servers.html"},"modified":"2019-06-20T17:00:59","modified_gmt":"2019-06-20T17:00:59","slug":"nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/","title":{"rendered":"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group&#8217;s Servers"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2015\/04\/spy-vs-spy-640x480.jpg\" alt=\"Nation-sponsored hackers likely carried out hostile takeover of rival group\u2019s servers\"><\/p>\n<aside id=\"social-left\" aria-label=\"Read the comments or share this article\">\n<h4 class=\"comment-count-before\"><a title=\"26 posters participating\" class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/information-technology\/2019\/06\/researchers-think-nation-sponsored-hackers-attacked-rival-espionage-group\/?comments=1\">reader comments<\/a><\/h4>\n<p><a title=\"26 posters participating\" class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/information-technology\/2019\/06\/researchers-think-nation-sponsored-hackers-attacked-rival-espionage-group\/?comments=1\"><span class=\"comment-count-number\">29<\/span> <span class=\"visually-hidden\">with 26 posters participating<\/span><\/a><\/p>\n<div class=\"share-links\">\n<h4>Share this story<\/h4>\n<\/div>\n<\/aside>\n<p>If nation-sponsored hacking was baseball, the Russian-speaking group called Turla would not just be a Major League team\u2014it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of the&nbsp;<a href=\"https:\/\/www.nytimes.com\/2010\/08\/26\/technology\/26cyber.html\">US Department of Defense in 2008<\/a>, and more recently the <a href=\"https:\/\/uk.reuters.com\/article\/us-germany-cyber\/german-government-hack-was-part-of-worldwide-campaign-sources-idUKKCN1GE2H5\">German Foreign Office<\/a> and <a href=\"https:\/\/uk.reuters.com\/article\/us-germany-cyber\/german-government-hack-was-part-of-worldwide-campaign-sources-idUKKCN1GE2H5\">France\u2019s military<\/a>. The group has also been known for <a href=\"http:\/\/arstechnica.com\/security\/2014\/12\/powerful-highly-stealthy-linux-trojan-may-have-infected-victims-for-years\/\">unleashing stealthy Linux malware<\/a> and using <a href=\"https:\/\/arstechnica.com\/information-technology\/2015\/09\/how-highly-advanced-hackers-abused-satellites-to-stay-under-the-radar\/\">satellite-based Internet links<\/a> to maintain the stealth of its operations.<\/p>\n<p>Now, researchers with security firm Symantec have uncovered evidence of Turla doing something that would be a first for any nation-sponsored hacking group. Turla, Symantec believes, conducted a hostile takeover of an attack platform belonging to a competing hacking group called OilRig, which researchers at FireEye and other firms have <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/12\/targeted-attack-in-middle-east-by-apt34.html\">linked to the Iranian government<\/a>. Symantec suspects Turla then used the hijacked network to attack a Middle Eastern government OilRig had already penetrated. Not only would the breach of OilRig be an unprecedented hacking coup, it would also promise to make the already formidable job of attribution\u2014the term given by researchers for using forensic evidence found in malware and servers to pin a hack on a specific group or nation\u2014considerably harder.<\/p>\n<h2>A murkier world<\/h2>\n<p>\u201cThe fact that we\u2019ve seen one advanced group taking over the infrastructure of another nation-backed group changes a lot of policy discussions that are going on, because it complicates attribution,\u201d Jonathan Wrolstad, principal cyber intelligence analyst in Symantec\u2019s Managed Adversary and Threat Intelligence group, told Ars. \u201cThis does make us live in the world now that\u2019s a bit murkier.\u201d<\/p>\n<p>Hacking groups go by many different names, depending on the people who track them. Turla is also known as Snake, and Symantec calls it Waterbug. OilRig is also known as APT34, and Symantec calls it&nbsp;Crambus. For consistency, this article will use the names Turla and OilRig.<\/p>\n<p>The hijacking would be only one of Turla\u2019s impressive accomplishments of late. Over the past 18 months, Symantec has observed Turla rolling out a suite of new custom hacking tools, in part to ensure that it regains its signature stealth as previous tools and methods have come to the attention of researchers and rivals. In keeping with a recent trend designed to make detection harder, many of the new tools adopt an approach known as \u201cliving off the land,\u201d in which tools run in memory and are based on legitimate administrative tools. New tools rolled out since the beginning of 2018 include:<\/p>\n<ul>\n<li>A new custom dropper typically used to install Neptun, a backdoor for Microsoft Exchange servers, as a service.<\/li>\n<li>A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.<\/li>\n<li>A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive.<\/li>\n<li>Visual Basic scripts that perform system reconnaissance after initial infection and then send information to [Turla]&nbsp;command and control (C&amp;C) servers.<\/li>\n<li>PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to [Turla] C&amp;Cs.<\/li>\n<li>Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via [Turla] tools or infrastructure.<\/li>\n<\/ul>\n<p>Over the same span, Symantec is aware of Turla compromising 13 organizations, many of them well fortified, in 10 countries. They include:<\/p>\n<ul>\n<li>The Ministry of Foreign Affairs of a Latin American country<\/li>\n<li>The Ministry of Foreign Affairs of a Middle Eastern country<\/li>\n<li>The Ministry of Foreign Affairs of a European country<\/li>\n<li>The Ministry of the Interior of a South Asian country<\/li>\n<li>Two unidentified government organizations in a Middle Eastern country<\/li>\n<li>One unidentified government organization in a Southeast Asian country<\/li>\n<li>A government office of a South Asian country based in another country<\/li>\n<li>An information and communications technology organization in a Middle Eastern country<\/li>\n<li>Two information and communications technology organizations in two European countries<\/li>\n<li>An information and communications technology organization in a South Asian country<\/li>\n<li>A multinational organization in a Middle Eastern country<\/li>\n<li>An educational institution in a South Asian country<\/li>\n<\/ul>\n<h2>Hijacking a rival hacker\u2019s infrastructure<\/h2>\n<p>The first compromise of the unidentified Middle Eastern government, Symantec researchers said in a <a href=\"https:\/\/www.symantec.com\/blogs\/threat-intelligence\/waterbug-espionage-governments\">report to be published Thursday<\/a>, came no later than November 2017, when Symantec security software shows the network was breached by OilRig hackers. Symantec software shows a new breach occurred on January 11, 2018, when a known Turla-linked task scheduling tool named msfgi.exe infected the same network. It\u2019s unusual, but by no means unprecedented, for two nation-sponsored hacking groups to compromise the same network this way.<\/p>\n<p>The next day, Symantec detected evidence of the never-before documented event. It came when an OilRig backdoor called Powruner and an OilRig administration tool called Poison Frog\u2014which had already had access to the Middle Eastern network for months\u2014were used to download a highly customized version of hacking software Symantec researchers believe could only have originated with Turla.<\/p>\n<p>The tool was a heavily customized version of the <a href=\"https:\/\/sourceforge.net\/projects\/mimikatz.mirror\/\">Mimikatz password extraction tool<\/a> that was obfuscated using a custom compression routine. Symantec has seen the custom version of Mimikatz and the custom packer used only a handful of times, and each one of them was in campaigns company researchers attributed to Turla.<\/p>\n<p>Symantec believes Turla\u2019s intrusion into the Middle Eastern network continued for most of 2018 in a way that was consistent with other known breaches by the group. In September, for instance, a similar Mimikatz variant was downloaded to another computer on the same network using the Neptun backdoor, which, as noted earlier, Symantec has observed Turla recently started using in its campaigns. Symantec also observed other malware on the Middle Eastern network connecting to known Turla command and control servers.<\/p>\n<p>Symantec researchers can\u2019t rule out the possibility that Turla and OilRig collaborated in the hack of the Middle Eastern network, or even that OilRig somehow obtained its rival&#8217;s customized version of Mimikatz and the custom packer that obfuscated it. But the researchers discount those possibilities. Turla is an unusually secretive group\u2014even among nation-sponsored hackers. The likelihood of it openly cooperating with a competitor seems slim. What\u2019s more, OilRig has considerably scarcer resources and skills compared to Turla. Not only does that mean Turla would have little to gain from an alliance, it also makes it extremely remote OilRig would have the ability to obtain its larger rival&#8217;s tools.<\/p>\n<p>Symantec has also discounted the likelihood of a false flag operation, which attempts to trick researchers or targets into thinking a hack was carried out by some other group. Had Turla been trying to frame OilRig, it would have used&nbsp;OilRig tools and infrastructure exclusively, rather than the combination observed in the hack of the Middle Eastern government&#8217;s network.<\/p>\n<p><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2019\/06\/infrastructure-takeover.png\" class=\"enlarge\" data-height=\"868\" data-width=\"839\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2019\/06\/infrastructure-takeover-640x662.png\" width=\"640\" height=\"662\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2019\/06\/infrastructure-takeover.png 2x\"><\/a> <\/p>\n<p>The theory that seems most plausible, the researchers said, is that Turla knew OilRig had already hacked the network of the Middle Eastern target. In later deciding to go after the same target itself, Symantec speculates, Turla piggybacked on existing access of OilRig.<\/p>\n<p>In an interview, Wrolstad, the Symantec researcher, said:<\/p>\n<blockquote>\n<p>We speculate, but we really can\u2019t confirm, that the purpose of the [OilRig] network infrastructure was to gain that initial foothold. This has been discussed in the community at conferences, that a great way for a group to gain initial access to their victim organization would be to find somebody that already has access to the organization you\u2019re interested in, compromise them, and go out to all the different victims that they have. You can save yourself a lot of trouble by doing that.<\/p>\n<p>It\u2019s been discussed but never before observed, and that was one of the reasons we wanted to document it. The thing that people have talked about, now we have evidence that it happened.<\/p>\n<\/blockquote>\n<h2>Bad opsec<\/h2>\n<p> A theory that\u2019s based on OilRig suffering from a lapse of what researchers call operational security would also be consistent with a recent leak by an unknown party that <a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/04\/a-mystery-agent-is-doxing-irans-hackers-and-dumping-their-code\/\">dumped vast amounts of the group\u2019s code and tools<\/a>. While it\u2019s possible the leak came from an OilRig insider, Brandon Levine, head of applied intelligence at the security firm Chronicle, said his analysis of the published material leads him to believe it\u2019s the work of outsiders.<\/p>\n<p>\u201cIt&#8217;s likely an OilRig controlled staging server was somehow compromised by an outsider,&#8221; he wrote in an email. &#8220;I&#8217;d be extremely surprised if the leak(s) were native Iranians. I&#8217;ve seen some linguistic reports that highlight the construction of the messages in Farsi that seem to support this, but there really is no confirmation.\u201d<\/p>\n<p>Symantec researchers, for their part, say they can\u2019t be certain their theory is correct. In the interest of completeness, their report lists their hypothesis (listed as No. 2 below) as only one of four possibilities:<\/p>\n<blockquote>\n<p>1. <strong>False flag:<\/strong> [Turla] does have a track record of using false flag tactics to throw investigators off the scent. However, if this was a genuine attempt at a false flag operation, it begs the question of why it also used its own infrastructure to communicate with other machines on the victim\u2019s network, in addition to using tools that could be traced back to [Turla].<\/p>\n<p>2. <strong>Means of intrusion:<\/strong> It is possible that [Turla] wanted to compromise the target organization, found out that [OilRig] had already compromised its network, and hijacked [OilRig]\u2019s own infrastructure as a means of gaining access. Symantec did not observe the initial access point, and the close time frame between [Turla]-observed activity on the victim\u2019s network and its observed use of [OilRig] infrastructure suggests that [Turla] may have used the [OilRig] infrastructure as an initial access point.<\/p>\n<p>3. <strong>Mimikatz variant belonged to [OilRig]:<\/strong> There is a possibility that the version of Mimikatz downloaded by the [OilRig] infrastructure was actually developed by [OilRig]. However, the compilation technique and the fact that the only other occasion it was used was linked to [Turla] works against this hypothesis. The fact that [Turla] also appeared on the victim\u2019s network around the same time this version of Mimikatz was downloaded would make it an unlikely coincidence if the tool did belong to [OilRig].<\/p>\n<p>4. <strong>Opportunistic sowing of confusion:<\/strong> If a false flag operation wasn\u2019t planned from the start, it is possible that [Turla] discovered the [OilRig] intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators. <a href=\"https:\/\/www.wired.com\/story\/iran-hackers-oilrig-read-my-lips\/\">Based on recent leaks of [OilRig] internal documents<\/a>, its Poison Frog control panel is known to be vulnerable to compromise, meaning it may have been a relatively trivial diversion on the part of [Turla] to hijack [OilRig]\u2019s infrastructure. A compromise conducted by one threat actor group through another&#8217;s infrastructure, or fourth-party collections, has been <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/magazine\/2017\/VB2017-Guerrero-Saade-Raiu.pdf\">previously discussed in a 2017 white paper by Kaspersky researchers<\/a>.<\/p>\n<\/blockquote>\n<p>The white paper speculates on three instances that may support one hacking group compromising the infrastructure of another. The details, however, are extremely sparse. The instances are:<\/p>\n<ul>\n<li>In 2014, a site infected by hacking group Energetic Bear in hopes of compromising targets who visited it was modified to include an HTML tag that would log visitors\u2019 IP addresses with a remote server controlled by another, undisclosed party.<\/li>\n<li>A \u201cmothership\u201d server belonging to threat group NetTraveler contained a backdoor planted by another threat actor intent on maintaining prolonged access to the NetTraveler infrastructure for their stolen data.<\/li>\n<li>In 2016 a Korean-speaking threat actor named DarkHotel compromised a site located at scarcroft.net with what at the time was a zeroday vulnerability in Adobe\u2019s Flash media player. Later, another group the researchers later came to call ScarCruft infected the same scarcroft.net site with a different Flash zeroday.<\/li>\n<\/ul>\n<p>&#8220;While this represents an immediate failure for the victim intelligence service, the tragedy doesn\u2019t end there,\u201d researchers Juan Andr\u00e9s Guerrero-Saade and Costin Raiu, both at Kaspersky Lab at the time, wrote in the paper titled <em>Walking in your enemy\u2019s shadow: when fourth-party collection becomes attribution Hell<\/em>. \u201cAttackers can then go on to adopt the victim threat actor\u2019s toolkit and infrastructure, leveraging their data and access, and perpetrating attacks in their name.\u201d<\/p>\n<p>Misidentifying hacking groups might also prove costly to the parties who are breached, since the victims may fail to accurately assess the full scope of the damage they have sustained.<\/p>\n<p>\u201cIn the case we\u2019re looking at, we have a very capable threat actor who creates a lot of redundant overlapping access within a network, and then a less capable actor,\u201d Alexandrea Berninger, a senior cyber intelligence analyst at Symantec, said in an interview. &#8220;One can imagine that if [you think] you\u2019re defending against a less capable actor you won\u2019t remove all evidence and [the more capable group] will be able to retain some kind of access.\u201d<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/30255\/Nation-Sponsored-Hackers-Likely-Carried-Out-Hostile-Takeover-Of-Rival-Groups-Servers.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":27398,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[6822],"class_list":["post-27397","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackergovernmentrussiacyberwariran"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group&#039;s Servers 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group&#039;s Servers 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2019-06-20T17:00:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/06\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"480\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group&#8217;s Servers\",\"datePublished\":\"2019-06-20T17:00:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/\"},\"wordCount\":2203,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg\",\"keywords\":[\"headline,hacker,government,russia,cyberwar,iran\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/\",\"name\":\"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group's Servers 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg\",\"datePublished\":\"2019-06-20T17:00:59+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg\",\"width\":640,\"height\":480},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,government,russia,cyberwar,iran\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackergovernmentrussiacyberwariran\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group&#8217;s Servers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group's Servers 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/","og_locale":"en_US","og_type":"article","og_title":"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group's Servers 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2019-06-20T17:00:59+00:00","og_image":[{"width":640,"height":480,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/06\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group&#8217;s Servers","datePublished":"2019-06-20T17:00:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/"},"wordCount":2203,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/06\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg","keywords":["headline,hacker,government,russia,cyberwar,iran"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/","url":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/","name":"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group's Servers 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/06\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg","datePublished":"2019-06-20T17:00:59+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/06\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/06\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers.jpg","width":640,"height":480},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/nation-sponsored-hackers-likely-carried-out-hostile-takeover-of-rival-groups-servers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,government,russia,cyberwar,iran","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackergovernmentrussiacyberwariran\/"},{"@type":"ListItem","position":3,"name":"Nation-Sponsored Hackers Likely Carried Out Hostile Takeover Of Rival Group&#8217;s Servers"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/27397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=27397"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/27397\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/27398"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=27397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=27397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=27397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}