The Russian Advanced Persistent Threat (APT) group, Turla, has employed a sophisticated strategy to infiltrate and exploit the command-and-control (C2) servers of the Pakistan-based hacking group Storm-0156. This covert operation, first observed in December 2022, showcases Turla’s ability to embed itself within another group’s infrastructure to achieve its objectives while complicating attribution. By mid-2023, Turla had expanded its control over multiple C2 servers previously compromised by Storm-0156, leveraging them to deploy custom malware such as TwoDash and Statuezy.
Read More: Karachi students accused of hacking school websites
TwoDash operates as a downloader, enabling further malware delivery, while Statuezy functions as a trojan that monitors clipboard activity on Windows devices. This dual-pronged approach allowed Turla to covertly access sensitive networks, particularly those tied to Afghan government entities, without initiating direct attacks.
Hijacking Infrastructure for Broader Espionage
Turla’s exploitation extended beyond deploying bespoke malware. Microsoft and Lumen Technologies’ Black Lotus Labs revealed that Turla utilized Storm-0156’s infrastructure to deploy additional tools like the Crimson RAT and Wainscot, a previously undocumented implant. These tools facilitated espionage activities in Afghanistan and India, enabling lateral movement within Storm-0156’s operations to gather valuable credentials, exfiltrated data, and insights into the group’s tools.
This strategy aligns with Turla’s historical patterns. In 2019, Turla hijacked an Iranian APT’s infrastructure for its own espionage. More recently, it repurposed Andromeda malware in Ukraine and the Tomiris backdoor in Kazakhstan to infiltrate networks of interest. These tactics minimize resource expenditure while maintaining operational efficacy.
Lateral Movements
By 2024, Turla demonstrated an alarming escalation in its campaign. The group compromised Storm-0156’s operator workstations, gaining direct insights into their operations and targets. This included intelligence on Afghan government systems and Indian defense-related institutions. Notably, Turla utilized a Crimson RAT infection established by Storm-0156 in March 2024 to deploy TwoDash by August 2024, alongside MiniPocket, a secondary downloader designed to fetch additional payloads.
This indirect method of leveraging another actor’s operations highlights Turla’s resourcefulness. By piggybacking on Storm-0156’s efforts, Turla efficiently accessed high-value networks while avoiding the challenges of establishing initial access themselves.
Implications for Regional and Global Security
The implications of Turla’s activities extend beyond South Asia. Storm-0156, believed to be a nation-state actor operating out of Pakistan, primarily targets regional government entities and industrial systems in Afghanistan and India. By infiltrating this infrastructure, Turla not only accessed these targets but also acquired intelligence on Storm-0156’s broader objectives.
This co-optive tactic, however, is not without limitations. The information Turla obtains through such operations may not always align with its strategic goals due to reliance on another actor’s initial access. Nonetheless, this approach highlights the adaptability of Kremlin-backed cyber-espionage operations.
Pattern of Exploiting Others
Turla’s campaign is the latest example of its deliberate strategy to hijack other threat actors’ tools and infrastructure. This pattern reflects a consistent modus operandi dating back years. From exploiting the Iranian OilRig group in 2019 to commandeering Andromeda malware infrastructure in Ukraine in 2023, Turla’s repeated instances of co-opting others highlight its emphasis on operational stealth and efficiency.
The current campaign also demonstrates Turla’s ability to use such operations to obscure its tracks, complicating attribution efforts. This tactic has made the group a particularly challenging adversary for cybersecurity professionals worldwide.
Growing Threat to Global Cybersecurity
The findings from Microsoft and Lumen Technologies’ Black Lotus Labs emphasize the escalating threat posed by Turla. The group’s ability to infiltrate and exploit other actors’ infrastructure with such precision highlights its advanced capabilities and persistent focus on politically significant targets.
Read More:
Turla’s actions have wide-ranging implications for regional and global security, particularly as Western nations continue to uncover and counter Russian cyber operations. By leveraging Storm-0156’s infrastructure, Turla has demonstrated its resourcefulness and skill in executing advanced cyber-espionage campaigns.