Russia-Linked Turla Exploits Pakistani Hackers’ Servers to Target Afghan and Indian Entities

The Turla APT group, linked to Russia, has been tied to a newly discovered campaign involving infiltrating the command-and-control servers of a Pakistani hacking group known as Storm-0156 to carry out its own operations since 2022.

This activity, first identified in December 2022, is the latest example of a nation-state adversary embedding themselves in another group’s malicious activities to advance their own objectives and obfuscate attribution efforts, as reported by Lumen Technologies Black Lotus Labs.

“In December 2022, Secret Blizzard gained access to a Storm-0156 C2 server and by mid-2023 had extended their control to multiple C2s associated with the Storm-0156 actor,” the company revealed in a report shared with The Hacker News.

By leveraging access to these servers, Turla has been using intrusions orchestrated by Storm-0156 to deploy custom malware families known as TwoDash and Statuezy in networks linked to various Afghan government entities. TwoDash is a bespoke downloader, while Statuezy is a trojan that monitors and logs data saved to the Windows clipboard.

The Microsoft Threat Intelligence team also released its findings on the campaign, highlighting Turla’s utilization of infrastructure linked to Storm-0156, which intersects with activity clusters identified as SideCopy and Transparent Tribe.

Turla, also known by several aliases, is believed to be associated with Russia’s Federal Security Service (FSB) and has been active for nearly three decades. The threat actor uses a diverse and sophisticated toolset to target government, diplomatic, and military organizations.

In addition, Turla has a history of repurposing other threat actors’ infrastructure for its own ends. This tactic has been observed in various instances, including exploiting an Iranian threat actor’s backdoors, piggybacking on ANDROMEDA attack infrastructure, and utilizing a Kazakhstan-based threat actor’s backdoor to deploy QUIETCANARY.

The recent attack campaign detected by Black Lotus Labs and Microsoft demonstrates Turla’s use of Storm-0156 C2 servers to install backdoors on Afghan government devices and target Indian military and defense-related institutions in India.

The compromise of Storm-0156 C2 servers has allowed Turla to take control of the former’s backdoors, such as Crimson RAT and a previously undocumented Golang implant named Wainscot. The method by which these servers were initially compromised remains unknown.

Microsoft observed Turla using a Crimson RAT infection established by Storm-0156 in March 2024 to execute TwoDash in August 2024. Alongside TwoDash, another custom downloader called MiniPocket is deployed in victim networks to retrieve and run a second-stage binary.

The attackers are said to have moved laterally to the Storm-0156 operator’s workstation, likely leveraging a trust relationship to gather valuable intelligence on tooling, C2 credentials, and exfiltrated data, signaling a significant escalation of the campaign.

This technique allows Turla to gather intelligence on Storm-0156’s targets in South Asia without directly targeting those organizations. By taking advantage of others’ campaigns, Turla can establish footholds on networks of interest with minimal effort, although the obtained information may not align entirely with its collection priorities.

For more exclusive content, follow us on Twitter and LinkedIn.