The Russia-linked Advanced Persistent Threat (APT) group Turla has executed a sophisticated cyber-espionage campaign by infiltrating the command-and-control (C2) servers of Pakistan-based hacking group Storm-0156. Since December 2022, this covert operation highlights Turla’s strategy of embedding within other actors’ operations to achieve its objectives while maintaining anonymity.
Turla had already captured numerous C2 servers before they were infected with Storm-0156 in mid-2023. These servers were subsequently used to spread other specialized malware, such as TwoDash and Statuezy, which targeted Afghan government networks. TwoDash serves as a downloader, whereas Statuezy is a trojan that monitors and reports on Windows clipboard behavior. Turla used Storm-0156 as a cover to get access to the targeted systems without launching a direct strike.
Turla also used other Storm-0156 components, including the Crimson RAT and an unknown Wainscot implant. This enabled Turla to infiltrate South Asian networks, particularly those in Afghanistan and India. Turla was able to move laterally across Storm-0156’s operations, stealing operator workstations, credentials, tools, and data.
Turla’s history demonstrates that the group prefers to take over other actors’ tools and infrastructure. In March 2019, the gang used Iranian APT infrastructure to transmit its tools, while in July 2023, it used Andromeda malware infrastructure in Ukraine and the Tomiris backdoor in Kazakhstan. These approaches demonstrate an intentional effort to exploit existing operations to reduce resource utilization while increasing espionage.
The current campaign focuses on an increase in Turla’s operations. Turla exploited Storm-0156’s Crimson RAT infection to dump TwoDash in March 2024, which was then used in August. They also included the MiniPocket, a second-stage downloader that connects to a set of pre-defined IP addresses to download the remaining payloads.
Turla was able to obtain information about the group’s tools and targets by assaulting Storm-0156’s infrastructure and operator workstations, which included Afghan government networks and Indian defense institutions. This method of operation proved to be an effective means of acquiring information about South Asian organizations without having to directly target them, demonstrating Turla’s creativity and operational acumen.
Lumen Technologies’ Black Lotus Labs and Microsoft conducted research to show that Turla’s cyber espionage operations are becoming more sophisticated. Using Storm-0156’s infrastructure, the Kremlin-backed outfit demonstrated its agility and its ability to conduct stealthy, high-value espionage operations. Turla’s observed activities highlight the need for further enhancement of countermeasures against this sophisticated and actively evolving threat actor group.
