The Russia-linked advanced persistent threat (APT) group Turla has been caught in a sophisticated cyber espionage campaign. Turla infiltrated the command-and-control (C2) servers of the Pakistan-based hacking group Storm-0156, which it has used to conduct its own operations since 2022.
holy smokes the MSFT and Lumen reporting on Turla have some bomb shells
– co-opting SideCopy infrastructure
– borrowed Tomiris from another actor to load their tooling
– SideCopy was in the parking lot of targets to pop em? https://t.co/onyDqDuKEa https://t.co/VIJbgKf4WY pic.twitter.com/1ESos4HG8f— Greg Lesnewich (@greglesnewich) December 4, 2024
Black Lotus Labs, part of Lumen Technologies, first observed this in December 2022. By mid-2023, Turla had expanded their control to multiple C2 servers associated with Storm-0156. Turla used the access to these servers to deploy custom malware families across various Afghan government networks.
FSB’s Center 16 tracked as Secret Blizzard/Turla has used the tools and infrastructure of at least 6 other threat actors during the past 7 years for the exclusive purpose of facilitating espionage operations.https://t.co/GafdxVBTDB
— Louise Marie Hurel (@LouMarieHSD) December 4, 2024
The malware included TwoDash, a bespoke downloader, and Statuezy, a trojan that logs data saved to the Windows clipboard. Microsoft Threat Intelligence confirmed that Turla used Storm-0156’s infrastructure in cyber campaigns in Afghanistan and India. Turla, also known as Blue Python, Iron Hunter, and Venomous Bear, is affiliated with Russia’s Federal Security Service (FSB).
Russia’s Turla hackers hijacked 33 command servers operated by Pakistani hackers who had themselves breached Afghanistan and Indian targets.https://t.co/TMZWFXWxuy
— Ryan Naraine (@ryanaraine) December 4, 2024
Active for nearly 30 years, Turla targets government, diplomatic, and military organizations. The group has a history of hijacking other threat actors’ infrastructure for their own espionage activities.
Turla exploits Storm-0156 servers
Turla's Cyber Espionage: Russian Hackers Infiltrate Pakistani hacker groups, Target India and Afghanistanhttps://t.co/hseU6XSjXt
— News9 (@News9Tweets) December 5, 2024
In previous instances, Turla utilized infrastructure from Iranian APTs and other malware operators to deploy its tools. In January 2023, Google-owned Mandiant reported that Turla piggybacked on the infrastructure of the commodity malware ANDROMEDA in Ukraine. In April 2023, Kaspersky revealed Turla’s use of the Kazakhstan-based Storm-0473’s tools to deploy the QUIETCANARY backdoor.
The compromise of Storm-0156 C2 servers enabled Turla to repurpose backdoors and deploy a previously undocumented Golang implant named Wainscot. Turla used a Crimson RAT infection established by Storm-0156 in March 2024 and August 2024 to deploy TwoDash. A custom downloader called MiniPocket was also observed in the victim networks.
The Kremlin-backed attackers moved laterally within the Storm-0156 operator’s workstation. They gained valuable intelligence about their tools, C2 credentials, and exfiltrated data. This strategy allows Turla to gather intelligence without directly targeting organizations of interest.
It minimizes effort while gaining significant data. Microsoft noted, “The frequency of Secret Blizzard’s operations to commandeer the infrastructure or tools of other threat actors suggests that this is an intentional component of their tactics.”
The latest attack campaign underscores Turla’s evolving threats and highlights the importance of robust cybersecurity measures to defend against such sophisticated adversaries.
