Turla stole APT34's tools and hijacked its infrastructure.
A joint report issued on Monday by the UK's National Cyber Security Centre and the US National Security Agency states that the suspected Russian APT Turla stole tools from the Iranian group APT34 (also known as OilRig) and used them in false-flag operations targeting victims in the Middle East that would have been of interest to both Turla and APT34. The victims included "military establishments, government departments, scientific organisations and universities." The NCSC and NSA say the Iranian crew was "almost certainly not aware of, or complicit with, Turla’s use of their implants." Turla also compromised Iranian hacking infrastructure and used it to deploy its own malware.
The agencies note that their observations are reinforced by private sector findings, such as Symantec's report in June which said Turla may have hijacked APT34's infrastructure and used it in attacks against a Middle Eastern target. Doug Cress, a division chief within the NSA’s Cybersecurity Directorate, told Reuters that "our main intent right here is to point out that there’s a lot of false flagging going on out there and we want to make sure our national security systems that we’re trying to defend are aware."
A spokesman for the Russian embassy in the UK said media publications on the matter are "an unsavoury interpretation" of GCHQ and NSA's statement, adding that the reports are meant to "drive a wedge" between Russia and Iran, according to Reuters.
Magecart Group 5 linked to Carbanak.
Malwarebytes has identified ties between Magecart Group 5 and the Carbanak criminal threat actor. The researchers examined domains used by Magecart Group 5 and linked them to domains used in Dridex phishing campaigns which distributed Carbanak's malware. The email address used to register these domains was also linked to a phone number mentioned in a blog post on Carbanak by Brian Krebs.
Magecart Group 5 differentiates itself from other card-skimming groups by launching supply chain attacks against vendors of website components, particularly those that service e-commerce sites. This allows them to compromise any site that uses those components, rather than having to hack each site individually. Carbanak (also known as FIN7) is a sophisticated group well-known for hacking banks and ATMs, as well as carrying out other financially motivated crimes.