December 4, 2024 at 12:54PM
The Russia-linked APT group Turla has infiltrated the command-and-control servers of the Pakistan-based Storm-0156 hacking group since December 2022. Turla utilizes this access to deploy custom malware against Afghan government networks, demonstrating a tactic of leveraging others’ infrastructure for intelligence gathering, complicating attribution and enhancing their operational reach.
### Meeting Notes Takeaways:
1. **New Campaign by Turla:**
– Turla, a Russia-linked APT group, has been linked to a new campaign since December 2022, infiltrating the command-and-control servers of the Pakistan-based hacking group Storm-0156.
2. **Operational Strategy:**
– Turla’s strategy involves embedding itself within other groups’ operations, allowing it to further its objectives while obscuring attribution of attacks.
3. **Use of Storm-0156 Infrastructure:**
– By mid-2023, Turla had expanded its control over multiple Storm-0156 C2 servers and has deployed its own malware (TwoDash and Statuezy) within networks related to Afghan government entities.
4. **Malware Details:**
– TwoDash is a downloader, and Statuezy is a trojan that monitors clipboard data.
5. **Collaboration with Microsoft:**
– Microsoft’s Threat Intelligence team corroborated findings from Black Lotus Labs regarding Turla’s activities and its use of infrastructure linked to Storm-0156.
6. **Turla’s Identity and History:**
– Turla, also known by several aliases (e.g., Blue Python, Venomous Bear), is linked to Russia’s Federal Security Service and has operated for nearly 30 years, targeting government and military organizations.
7. **Previous Exploitations:**
– Turla has a history of hijacking infrastructure from other threat actors, including Iranian APTs and commodity malware like ANDROMEDA.
8. **Methods of Operation:**
– The group frequently repurposes other actors’ tools and infrastructure for its operations, indicating a tactical component of their methodology.
9. **Scope of Recent Attacks:**
– Recent operations targeted Afghan government devices and Indian military data through Storm-0156 servers, allowing Turla to gather intelligence without direct confrontations.
10. **Implications of Co-option Tactics:**
– By leveraging the operations of others, Turla can gain footholds in networks of interest with minimal effort, although the intelligence acquired may not perfectly align with their priorities.
This summary captures the key points from the meeting notes regarding Turla’s activities and tactics in its recent campaigns.