Turla: Russia-Linked APT Exploits Pakistan-Based Hacking Group’s Infrastructure

The Russia-affiliated advanced persistent threat (APT) group Turla, also known as Secret Blizzard, has been implicated in a sophisticated campaign targeting the infrastructure of a Pakistan-based hacking group called Storm-0156. This operation, active since late 2022, represents a strategic manoeuvre by Turla to leverage the existing command-and-control (C2) servers of Storm-0156 to carry out its own objectives while obscuring its activities.

The findings, unveiled by Lumen Technologies’ Black Lotus Labs, highlight Turla’s method of embedding itself within the operations of other threat actors. This tactic serves to further its espionage goals and complicate attribution efforts.

Turla: Russia-Linked APT Exploits Pakistan-Based Hacking Group’s Infrastructure

Turla’s activity was first observed in December 2022 when it gained access to a Storm-0156 C2 server. By mid-2023, Turla expanded its reach, compromising multiple C2 servers linked to the group. Through this access, Turla deployed custom malware families, such as TwoDash and Statuezy, targeting networks associated with Afghan government entities.

  • TwoDash: A bespoke downloader designed for efficient malware deployment.
  • Statuezy: A trojan that monitors and logs clipboard data on Windows systems, enhancing data exfiltration capabilities.

In addition to Afghanistan, Turla’s operations extended to Indian military and defense-related institutions, using Storm-0156’s infrastructure to collect and exfiltrate sensitive data.

This isn’t the first instance of Turla repurposing the infrastructure of other threat actors.

  • 2019: Turla exploited the C2 infrastructure of Iranian APTs to deploy its tools.
  • 2023: Google’s Mandiant reported Turla piggybacking on ANDROMEDA malware infrastructure to deliver reconnaissance tools to targets in Ukraine.
  • 2023 (April): Turla used the Tomiris backdoor, attributed to a Kazakhstan-based actor, to deploy QUIETCANARY malware.

These repeated cases underline Turla’s strategic preference for co-opting other attackers’ infrastructure to minimize resource expenditure and evade detection.

According to reports from Microsoft Threat Intelligence and Black Lotus Labs, Turla’s compromise of Storm-0156 servers has allowed it to:

  1. Deploy tools like Crimson RAT and the newly discovered Wainscot Golang implant.
  2. Utilize custom downloaders such as MiniPocket, which retrieves second-stage payloads.
  3. Laterally move within Storm-0156’s network to access critical C2 credentials, intelligence on their targets, and data from previous campaigns.

Microsoft observed Turla leveraging a Crimson RAT infection from Storm-0156 in March 2024 to deploy TwoDash by August 2024. This indicates Turla’s ability to exploit pre-existing infections for its own benefit.

Turla’s approach offers dual advantages:

  1. Efficient Targeting: By exploiting Storm-0156’s existing operations, Turla gains access to networks of interest with minimal effort.
  2. Obfuscated Attribution: Using another actor’s infrastructure complicates the process of tracing the attacks back to Turla.

While this strategy ensures operational efficiency, the intelligence gathered may not always align with Turla’s original priorities, as it inherits the targets chosen by the compromised group.

See Also: SpyLoan Malware Targets 8 Million Android Users via Loan Apps on Google Play

The latest findings underscore Turla’s adaptability and resourcefulness in the cyber-espionage landscape. By infiltrating and co-opting the infrastructure of groups like Storm-0156, Turla continues to advance its geopolitical objectives while maintaining a cloak of plausible deniability.

As cybersecurity firms like Microsoft and Black Lotus Labs monitor these activities, it remains critical for organizations in South Asia and beyond to strengthen their defences against such sophisticated threats.

PTA Taxes Portal

Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal

Explore NowFollow us on Google News!

Onsa Mustafa

Onsa is a Software Engineer and a tech blogger who focuses on providing the latest information regarding the innovations happening in the IT world. She likes reading, photography, travelling and exploring nature.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
>