The notorious Russian cyber-espionage group Turla is hacking other hackers, hijacking the Pakistani threat actor Storm-0156's infrastructure to launch their own covert attacks on already compromised networks.

Using this tactic, Turla (aka "Secret Blizzard") accessed networks Storm-0156 had previously breached, like in Afghan and Indian government organizations, and deployed their malware tools.

According to a report from Lumen's Black Lotus Labs, which tracked this campaign since January 2023 with the help of Microsoft's Threat Intelligence Team, the Turla operation has been underway since December 2022.

Turla (aka Secret Blizzard) is a Russian state-sponsored hacking group linked to Center 16 of Russia's Federal Security Service (FSB), the unit responsible for the interception, decoding, and collection of data from foreign targets.

The threat actors have a long history of secretive cyber-espionage campaigns targeting governments, organizations, and research facilities worldwide since at least 1996.

They are the suspects behind cyberattacks targeting the U.S. Central Command, the Pentagon and NASA, several Eastern European Ministries of Foreign Affairs, as well as the Finnish Foreign Ministry.

More recently, the Five Eyes disrupted Turla's "Snake" cyber espionage malware botnet, used to compromise devices, steal data, and hide on breached networks.

Breaching Storm-0156 for stealthy data theft

Lumen had been monitoring Storm-0156's campaigns for years as the threat actor focused their attacks on India and Afghanistan.

During this monitoring, the researchers found a command and control server (C2) that displayed a "hak5 Cloud C2" banner. This C2  indicated that the threat actors were somehow able to install a physical implant, like a Wi-Fi pineapple, on an Indian government network.

While monitoring further campaigns, Lumen discovered Turla within Storm-0156's network by observing strange network behavior, like C2 interacting with three VPS IP addresses that were known to be linked to the Russian hackers.

It was determined that in late 2022, Turla had breached multiple C2 nodes of the Storm-0156 threat actor and deployed their own malware payloads, including a TinyTurla backdoor variant, the TwoDash backdoor, the Statuezy clipboard monitor, and the MiniPocket downloader.

Apart from the malware families associated with Turla, Lumen also noted beaconing patterns and data transfers that did not align with the Pakistani threat actor's previous tactics.

By mid-2023, the Russian threat actors had moved laterally into Storm-0156's own workstations, gaining access to valuable data such as malware tools and stolen credentials and data. The malware tools include Storm-0156's CrimsonRAT malware and a Go-based remote access trojan named Wainscot.

Lumen comments that this is particularly easy to perform in threat actor environments as nation-state groups cannot protect themselves using state-of-the-art security tools.

"We believe that nation-state and cybercriminal endpoints and malware are especially vulnerable to exploitation since they are unable to use modern security stacks for monitoring access and protecting against exploitation," explains Lumen.

"When threat actors have installed security products, it has resulted in the disclosure of their previously unknown exploits and tools."

Microsoft reports that Turla only used a Storm-0156 backdoor once to deploy malware on a single desktop in India. Instead, the threat actors deployed backdoors on Storm-0156's servers used to host data stolen by the Pakistani threat actors from Indian military and defense-related institutions.

Microsoft believes that this more careful approach could be linked to political considerations.

Lumen told BleepingComputer that they are now null-routing all traffic from the known command and control infrastructure over the Lumen network.

Turla—the hacker of hackers

Turla's approach to exploiting other actors' infrastructure allows them to gather intelligence stealthily without exposing themselves or their toolset, shifting blame and complicating attribution efforts.

The Russian hackers have been known for employing this strategy since 2019, when they leveraged the infrastructure and malware of the Iranian state-backed threat group "OilRig," to launch attacks on multiple countries.

At the same time, Turla stole data from OilRig's systems, including keylogger logs, directory listings, files, account credentials, and malware builders for private tools such as Neuron.

In 2022, Mandiant reported that Turla deployed backdoors to "Andromeda" malware victims in Ukraine, after reregistering three command and control domains belonging to that operation.

A 2023 Kaspersky report gave another example of Turla using a backdoor stolen from 'Storm-0473' (aka "Tomiris") in attacks.