The Russia-backed Advanced Persistent Threat (APT) group Turla has launched a sophisticated cyber-espionage campaign by infiltrating the command-and-control (C2) infrastructure of a Pakistani hacker group called Storm-0156. This operation, which has been active since late 2022, highlights Turla’s expertise in leveraging other hacking groups' operations to obscure attribution and advance its own objectives.
Turla’s Tactics: Hijacking C2 Servers for Espionage
According to Lumen Technologies’ Black Lotus Labs, Turla began compromising Storm-0156's servers in December 2022. By mid-2023, Turla had expanded its control to several C2 servers linked to the Pakistani group. These servers were already targeting organizations in Afghanistan and India, giving Turla access to critical exfiltrated data.
Using this access, Turla deployed two custom malware strains:
- TwoDash: A downloader used to fetch additional payloads.
- Statuezy: A trojan that monitors and logs clipboard activity on Windows systems.
This strategic approach allowed Turla to exploit existing intrusions conducted by Storm-0156, redirecting them to fulfill its espionage agenda.
Connections to Other Threat Actors
The campaign has also drawn attention from Microsoft’s Threat Intelligence team, which linked Turla’s activities to other hacking clusters like SideCopy and Transparent Tribe. These clusters are known for targeting Afghan government entities and Indian defense-related institutions.
Turla, often referred to by aliases such as Secret Blizzard, Blue Python, and Venomous Bear, is suspected of working under Russia’s Federal Security Service (FSB). Over its 30-year history, Turla has deployed advanced malware like Snake, ComRAT, Kazuar, and HyperStack, primarily targeting government, military, and diplomatic entities worldwide.
A Pattern of Exploiting Other Threat Groups
This is not the first time Turla has piggybacked on another threat actor’s infrastructure:
- 2019: Turla hijacked Iranian APT backdoors to deploy its tools, as revealed by the UK’s National Cyber Security Centre (NCSC).
- 2023: Mandiant reported Turla using the ANDROMEDA malware infrastructure for reconnaissance in Ukraine.
- 2023: Kaspersky uncovered Turla’s use of the Tomiris backdoor, linked to Kazakhstan-based Storm-0473, to deploy its own malware.
Latest Campaign Targets Afghan and Indian Entities
In this latest operation, Turla infiltrated Storm-0156’s C2 servers to:
- Deploy backdoors, including Crimson RAT and a new Golang-based implant named Wainscot.
- Execute TwoDash and another downloader called MiniPocket, which retrieves second-stage payloads via hardcoded IPs and ports.
Black Lotus Labs noted that Turla likely abused trust relationships to gain lateral access to Storm-0156 operator workstations. This enabled them to gather intelligence on C2 credentials, hacking tools, and exfiltrated data.
Implications for Cybersecurity
Turla’s ability to co-opt other hacking groups' operations reflects its sophisticated tactics and adaptability. By piggybacking on Storm-0156’s infrastructure, Turla not only minimizes its own operational effort but also complicates attribution for defenders.
Microsoft warns that this tactic allows Turla to gather intelligence on South Asian targets without directly breaching those organizations. However, the data obtained might not always align with Turla’s primary objectives.
How to Stay Protected
Organizations, especially in South Asia, must remain vigilant against advanced threats like Turla by:
- Regularly monitoring network traffic for suspicious activity.
- Implementing multi-layered defense systems, including endpoint detection and response (EDR).
- Keeping software and systems updated to patch vulnerabilities exploited by such APT groups.
Conclusion
Turla’s exploitation of Storm-0156’s infrastructure underscores the evolving nature of state-sponsored cyber threats. As global cyber-espionage tactics become increasingly intricate, organizations must prioritize robust cybersecurity measures to safeguard sensitive data.