The Russia-linked Advanced Persistent Threat (APT) group Turla has reportedly infiltrated the command-and-control (C2) servers of the Pakistani hacking group Storm-0156, marking a significant escalation in cyber espionage efforts.

This covert operation, ongoing since December 2022, allows Turla to embed itself within another actor’s operations, complicating attribution and enabling its own strategic goals.

By mid-2023, Turla had gained control over several C2 servers previously compromised by Storm-0156. The group deployed custom malware, including TwoDash, a downloader, and Statuezy, a trojan designed to log clipboard activity on Windows devices.

This approach permitted Turla to exploit existing intrusions without launching direct attacks, facilitating covert access to sensitive networks associated with Afghan government entities.

Further analysis by Microsoft reveals that Turla also utilized Storm-0156’s infrastructure to deploy tools like the Crimson RAT and an undocumented implant known as Wainscot.

This tactic enabled the group to gather intelligence from systems in Afghanistan and India, accessing workstations and acquiring valuable credentials, tools, and data. Turla’s history of hijacking the infrastructure of other threat actors is evident in its past operations.

In 2019, it leveraged an Iranian APT’s resources, and more recently, it exploited Andromeda malware infrastructure in Ukraine and repurposed the Tomiris backdoor in Kazakhstan.

The current campaign underscores Turla’s capability to efficiently co-opt operations of interest. For example, in March 2024, the group used a Crimson RAT infection set up by Storm-0156 to deploy TwoDash in August 2024, alongside a secondary downloader, MiniPocket, which retrieves additional payloads.

Read more

Apple warns of flaw that lets hackers into iPhones, Macs

North Korean hackers breached top Russian missile maker

Indian hackers spied on Pakistani politicians, generals: report

By compromising Storm-0156’s operator workstations, Turla has gained critical insights into the tooling and targets of the group, including intelligence on Afghan government systems and Indian defense institutions.

This indirect method of information collection highlights Turla’s resourcefulness and sophisticated approach to cyber espionage.

The findings from Lumen Technologies’ Black Lotus Labs and Microsoft emphasize the escalating threat posed by Turla.

By leveraging Storm-0156’s infrastructure, the Kremlin-backed group showcases its adaptability and skill in advanced cyber-espionage tactics, posing a growing risk to regional security.