The Russia-linked APT group Turla has launched a covert operation by infiltrating the command-and-control (C2) servers of the Pakistan-based hacking group Storm-0156, a move that has been ongoing since December 2022. This operation highlights Turla’s strategic approach of embedding itself within the infrastructure of another group to pursue its own objectives while complicating attribution.
Expansion of Control and Malware Deployment
By mid-2023, Turla had expanded its reach over multiple C2 servers initially compromised by Storm-0156. Turla used these servers to deploy specialized malware, including TwoDash and Statuezy, which targeted networks associated with Afghan government entities.
- TwoDash: A downloader designed to retrieve malicious payloads.
- Statuezy: A trojan that logs and monitors clipboard activity on Windows systems, allowing the attackers to capture sensitive information.
These tools enabled Turla to leverage Storm-0156’s existing intrusions without launching direct attacks, facilitating covert access to sensitive systems.
Espionage and Infrastructure Exploitation
According to Microsoft’s analysis, Turla made further use of Storm-0156’s infrastructure by deploying tools like the Crimson RAT and an undocumented implant known as Wainscot. This enabled Turla to extend its espionage efforts across South Asia, particularly focusing on systems in Afghanistan and India.
By moving laterally within Storm-0156’s network, Turla gained access to workstations, acquiring valuable credentials, tools, and exfiltrated data. This technique is consistent with Turla’s history of hijacking other threat actors’ infrastructure for espionage. For example, in 2019, Turla used infrastructure linked to an Iranian APT to deploy its own tools, and in 2023, it leveraged Andromeda malware infrastructure in Ukraine, as well as repurposed the Tomiris backdoor in Kazakhstan.
Read More: First cybercrime case registered for ‘spreading fake news’
Leveraging Existing Operations for Effective Espionage
Turla’s tactic of exploiting the infrastructure of other groups reduces the cost of maintaining its own operations while ensuring continued access to valuable networks. In March 2024, Turla used a Crimson RAT infection previously established by Storm-0156 to deploy TwoDash, and later deployed MiniPocket, a secondary downloader that retrieves second-stage payloads from hard-coded IP addresses.
Escalating the Campaign
Turla’s movement within Storm-0156’s infrastructure marks a significant escalation of the operation. By compromising operator workstations, Turla gained deeper insights into Storm-0156’s tools, targets, and areas of interest, including Afghan government systems and Indian defense-related organizations. This allowed Turla to gather intelligence without directly targeting these entities, showcasing its resourcefulness and sophistication.
A Growing Threat to Regional Security
The operation highlights Turla’s ability to hijack other actors’ infrastructure and operate under the radar while infiltrating high-value networks. However, the information gathered may not always align with Turla’s main objectives due to its reliance on another group’s initial access.
Recent findings from Lumen Technologies’ Black Lotus Labs and Microsoft underline the growing threat posed by Turla, which continues to demonstrate its adaptability and expertise in advanced cyber-espionage tactics. Through its use of Storm-0156’s infrastructure, Turla has amplified its espionage campaigns, posing a significant threat to regional cybersecurity.
