systems.
The Russia-linked APT group Turla has orchestrated a covert operation involving the infiltration of command-and-control (C2) servers belonging to the Pakistan-based hacking group Storm-0156. This activity, observed since December 2022, represents Turla’s strategic approach of embedding itself within another actor’s operations to achieve its own goals while complicating attribution.
Ad powered by advergic.com
By mid-2023, Turla had expanded its control over multiple C2 servers initially compromised by Storm-0156. The group utilized these servers to deploy bespoke malware, including TwoDash and Statuezy, targeting networks associated with Afghan government entities.
TwoDash functions as a downloader, while Statuezy operates as a trojan that logs and monitors clipboard activity on Windows devices. These tools allowed Turla to leverage existing Storm-0156 intrusions without initiating direct attacks, enabling covert access to sensitive systems.
Ad powered by advergic.com
Leveraging Infrastructure for Espionage and Broader Implications
Microsoft’s analysis further reveals that Turla exploited Storm-0156 infrastructure, including using the Crimson RAT and an undocumented implant named Wainscot. This enabled Turla to expand its foothold across South Asian networks, gathering intelligence from systems in Afghanistan and India. Notably, the group moved laterally within Storm-0156’s operations, accessing workstations and obtaining valuable credentials, tools, and exfiltrated data.
Turla’s actions are consistent with its history of hijacking other threat actors’ tools and infrastructure. In 2019, Turla utilized an Iranian APT’s infrastructure to deploy its tools. More recently, it piggybacked on the Andromeda malware infrastructure in Ukraine in 2023 and repurposed the Tomiris backdoor in Kazakhstan.
These repeated instances indicate a deliberate tactic to exploit existing operations, reducing resource expenditure while maintaining effective espionage campaigns.
Ad powered by advergic.com
The current campaign highlights Turla’s ability to co-opt operations of interest to infiltrate networks efficiently. For instance, in March 2024, Turla used a Crimson RAT infection established by Storm-0156 to deploy TwoDash in August 2024. Additionally, Turla deployed MiniPocket, a secondary downloader that connects to hard-coded IP addresses to retrieve second-stage payloads.
Escalating the Campaign
Turla’s lateral movement within Storm-0156’s infrastructure signals a significant escalation. By compromising operator workstations, the group gained insights into Storm-0156’s tooling and targets, including intelligence on Afghan government systems and Indian defense-related institutions.
This approach allowed Turla to indirectly collect information from South Asian organizations without directly targeting them, underscoring its resourcefulness and sophistication.
Ad powered by advergic.com
This strategy of hijacking other actors’ infrastructure enables Turla to maintain a low profile while infiltrating high-value networks. However, the information obtained may not always align with Turla’s primary objectives due to the reliance on another group’s initial access.
A Growing Threat to Regional Security
The latest findings by Lumen Technologies’ Black Lotus Labs and Microsoft emphasize the evolving threat posed by Turla. By capitalizing on Storm-0156’s infrastructure, the Kremlin-backed group continues to demonstrate its adaptability and proficiency in advanced cyber-espionage tactics.