December 4, 2024 at 12:11PM
The Russian cyber-espionage group Turla is infiltrating the infrastructure of the Pakistani threat actor Storm-0156, using its compromised networks for covert attacks since late 2022. This strategy allows Turla to stealthily gather intelligence while complicating attribution efforts, leveraging previously breached targets, including Afghan governmental entities.
**Meeting Notes Takeaways:**
1. **Turla’s Current Operations**: The Russian cyber-espionage group Turla (also known as “Secret Blizzard”) is hijacking the infrastructure of another threat actor, Storm-0156, to conduct covert attacks. This strategy allows them to target already compromised networks, particularly in Afghan and Indian government sectors.
2. **Timeline and Tracking**: Lumen’s Black Lotus Labs, in collaboration with Microsoft’s Threat Intelligence Team, has been following Turla’s activities since December 2022, with significant operations detected from January 2023 onwards.
3. **Background on Turla**: Turla is a state-sponsored hacking group linked to the FSB’s Center 16 and has a long-standing history of cyber-espionage campaigns targeting a wide range of entities globally.
4. **Notable Past Targets**: Turla is implicated in significant cyberattacks against U.S. military and government entities, various Eastern European foreign ministries, and others.
5. **Recent Disruptions**: The Five Eyes alliance recently disrupted Turla’s “Snake” malware botnet, which was used to steal data and hide within compromised systems.
6. **Exploitation of Storm-0156**: Turla accessed Storm-0156’s compromised systems by deploying various malware tools, including the TinyTurla backdoor and TwoDash backdoor, signaling a breach of multiple command and control nodes.
7. **Targeted Data Access**: The primary use of Turla’s access was to deploy backdoors within Afghan government entities, leading to the collection of malware tools and stolen data from Storm-0156, including Pakistan-based cyber-espionage tools.
8. **Vulnerability of Threat Actor Environments**: Turla’s ability to exploit other threat actors stems from the fact that nation-state and cybercriminal environments often lack advanced security protections.
9. **Stealth and Attribution Challenges**: Turla’s method of leveraging other hackers’ infrastructure complicates efforts to attribute attacks and shift blame away from themselves.
10. **Historical Context of Strategy**: Since 2019, Turla has consistently employed tactics that exploit other groups’ infrastructures, with previous instances of using Iranian state-backed resources and other cybercriminal tools.
11. **Network Security Responses**: Lumen plans to null-route all traffic from identified command and control servers associated with Turla’s operations to mitigate further exploitation.
These points outline the dangers posed by Turla’s innovative use of infiltration tactics and the ongoing threats within state-sponsored cyber activity.