The Russian cyber-espionage group Turla, also known as “Secret Blizzard,” has recently gained attention for hijacking the infrastructure of other hacker groups to launch covert attacks. One of their most notable targets is the Pakistani threat actor Storm-0156. This tactic involves exploiting networks already compromised by Storm-0156, particularly those belonging to government organizations in Afghanistan and India. By leveraging Storm-0156’s infrastructure, Turla was able to deploy its own malware tools, highlighting a shift in their typical operational strategy.

According to a report from Lumen’s Black Lotus Labs, which has been monitoring this campaign since January 2023 with assistance from Microsoft’s Threat Intelligence Team, Turla began executing this operation in December 2022. The group, which operates under the auspices of Russia’s Federal Security Service (FSB), has a long history of cyber-espionage campaigns dating back to at least 1996. Turla has been behind numerous high-profile attacks, including those targeting the U.S. Central Command, the Pentagon, NASA, and various Eastern European Ministries of Foreign Affairs. Their methods often involve using sophisticated malware, such as their notorious “Snake” botnet, which was recently disrupted by the Five Eyes intelligence alliance.

Lumen had tracked Storm-0156’s campaigns for years, noting that the Pakistani group focused primarily on targets in India and Afghanistan. During this monitoring, Lumen researchers discovered a command-and-control (C2) server bearing a “hak5 Cloud C2” banner, a signal that a physical implant, like a Wi-Fi pineapple, had been installed on an Indian government network. As Lumen continued its investigation, they identified Turla’s presence within Storm-0156’s compromised network, specifically through unusual network behavior and communication with three known IP addresses associated with the Russian hackers. It became clear that Turla had gained access to several of Storm-0156’s C2 nodes and deployed a range of their own malware tools, including the TinyTurla backdoor, the TwoDash backdoor, and the Statuezy clipboard monitor, among others.

The intrusion allowed Turla to target Afghan government entities, including the Ministry of Foreign Affairs and the General Directorate of Intelligence (GDI), deploying backdoors on their systems to maintain access and steal valuable data. As Turla’s operations progressed, they escalated their attacks, even compromising Storm-0156’s own workstations by mid-2023. This move provided the Russian hackers with access to critical data, including malware tools and stolen credentials. Notably, Turla was able to steal Storm-0156’s own malware tools, such as the CrimsonRAT malware and a Go-based remote access trojan named Wainscot.

Lumen’s analysis points out that exploiting the infrastructure of other hackers, especially in a nation-state context, is a tactic that can be carried out with minimal risk. Nation-state actors, including cybercriminals and hacker groups, often operate with limited security tools, making their endpoints especially vulnerable to exploitation. Lumen notes that once these actors install security products, it often results in the exposure of previously unknown exploits and tools. This is why Turla’s strategy of using another hacker group’s infrastructure is particularly effective in evading detection.

Interestingly, Turla’s approach is not new. The group has previously employed similar tactics, most notably when they leveraged the infrastructure and malware of the Iranian-backed hacker group OilRig in 2019. At that time, Turla not only launched attacks using OilRig’s tools but also stole sensitive data from OilRig’s systems, including keylogger logs, directory listings, and malware builders. Similarly, in 2022, Turla was reported to have deployed backdoors to victims of the “Andromeda” malware operation in Ukraine after hijacking several of their C2 domains. In 2023, Kaspersky reported that Turla had used a backdoor stolen from another hacking group, Storm-0473 (also known as “Tomiris”), in their attacks.

This ongoing campaign underscores the adaptability and sophistication of Turla’s methods. By hijacking existing infrastructure, they not only reduce the risk of attribution but also increase the stealth of their operations. This tactic allows them to gather intelligence without exposing their own toolset, making it more difficult for defenders to trace the source of the attack. The continued success of Turla in this area highlights the ongoing threat posed by state-sponsored cyber-espionage groups, particularly those with the resources and expertise to engage in long-term, covert operations.