The Russia-linked advanced persistent threat (APT) group known as Turla has been linked to a previously undocumented campaign that involved infiltrating the command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022.
The activity, first observed in December 2022, is the latest instance of the nation-state adversary “embedding themselves” in another group’s malicious operations to further their own objectives and cloud attribution efforts, Lumen Technologies Black Lotus Labs said.
“In December 2022, Secret Blizzard initially gained access to a Storm-0156 C2 server and by mid-2023 had expanded their control to a number of C2s associated with the Storm-0156 actor,” the company said in a report shared with The Hacker News.
By leveraging their access to these servers, Turla has been found to take advantage of the intrusions already orchestrated by Storm-0156 to deploy custom malware families referred to as TwoDash and Statuezy in a select number of networks related to various Afghan government entities. TwoDash is a bespoke downloader, whereas Statuezy is a trojan that monitors and logs data saved to the Windows clipboard.
The Microsoft Threat Intelligence team, which has also released its findings into the campaign, said Turla has put to use infrastructure tied to Storm-0156, which overlaps with activity clusters tracked as SideCopy and Transparent Tribe.
“Secret Blizzard command-and-control (C2) traffic emanated from Storm-0156 infrastructure, including infrastructure used by Storm-0156 to collate exfiltrated data from campaigns in Afghanistan and India,” Microsoft said in a coordinated report shared with the publication.
Turla, also known by the names Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, and Waterbug, is assessed to be affiliated with Russia’s Federal Security Service (FSB).
Active for nearly 30 years, the threat actor employs a diverse and sophisticated toolset, including Snake, ComRAT, Carbon, Crutch, Kazuar, HyperStack (aka BigBoss), and TinyTurla. It primarily targets government, diplomatic, and military organizations.
The group also has a history of hijacking other threat actor’s infrastructure for its own purposes. In October 2019, the U.K. and U.S. governments revealed Turla’s exploitation of an Iranian threat actor’s backdoors to advance their own intelligence requirements.
“Turla accessed and used the command-and-control (C2) infrastructure of Iranian APTs to deploy their own tools to victims of interest,” the U.K. National Cyber Security Centre (NCSC) noted at the time. The Windows maker has since identified the Iranian hacking group to be OilRig.
Then in January 2023, Google-owned Mandiant noted that Turla had piggybacked on attack infrastructure used by a commodity malware called ANDROMEDA to deliver its own reconnaissance and backdoor tools to targets in Ukraine.
The third instance of Turla repurposing a different attacker’s tool was documented by Kaspersky in April 2023, when the Tomiris backdoor – attributed to a Kazakhstan-based threat actor tracked as Storm-0473 – was used to deploy QUIETCANARY in September 2022.
“The frequency of Secret Blizzard’s operations to co-opt or commandeer the infrastructure or tools of other threat actors suggests that this is an intentional component of Secret Blizzard’s tactics and techniques,” Microsoft noted.
The latest attack campaign detected by Black Lotus Labs and Microsoft shows that the threat actor utilized Storm-0156 C2 servers to deploy backdoors onto Afghan government devices, while in India, they targeted C2 servers hosting exfiltrated data from Indian military and defense-related institutions.
The compromise of Storm-0156 C2 servers has also enabled Turla to commandeer the former’s backdoors such as Crimson RAT and a previously undocumented Golang implant dubbed Wainscot. Black Lotus Labs told The Hacker News that it’s currently not known how the servers were compromised in the first place.
Specifically, Redmond said it observed Turla using a Crimson RAT infection that Storm-0156 had established in March 2024 to download and execute TwoDash in August 2024. Also deployed in victim networks alongside TwoDash is another custom downloader called MiniPocket that connects to a hard-coded IP address/port using TCP to retrieve and run a second-stage binary.
The Kremlin-backed attackers are further said to have laterally moved to the Storm-0156 operator’s workstation by likely abusing a trust relationship to obtain valuable intelligence pertaining to their tooling, C2 credentials, as well as exfiltrated data collected from prior operations, signaling a significant escalation of the campaign.
“This allows Secret Blizzard to collect intelligence on Storm-0156’s targets of interest in South Asia without targeting those organizations directly,” Microsoft said.
“Taking advantage of the campaigns of others allows Secret Blizzard to establish footholds on networks of interest with relatively minimal effort. However, because these initial footholds are established on another threat actor’s targets of interest, the information obtained through this technique may not align entirely with Secret Blizzard’s collection priorities.”
