December 5, 2024 at 03:48AM
The Russian cyber-espionage group Turla is hijacking the infrastructure of Pakistani threat actor Storm-0156 to conduct covert attacks on compromised networks, particularly targeting Afghan and Indian government entities. This tactic, observed since late 2022, allows Turla to stealthily deploy malware while complicating attribution efforts.
**Meeting Takeaways**
1. **Turla’s Activities:**
– The Russian cyber-espionage group Turla is engaging in covert attacks by exploiting the infrastructure of Storm-0156, a Pakistani threat actor.
– This tactic allows Turla access to already compromised networks, particularly targeting Afghan and Indian government organizations.
2. **Timeline of Operations:**
– The operation tracked by Lumen’s Black Lotus Labs began in December 2022, with continuous monitoring since January 2023, supported by Microsoft’s Threat Intelligence Team.
3. **Background on Turla:**
– Turla, also known as “Secret Blizzard,” is linked to Russia’s Federal Security Service and has a long history of cyber-espionage since at least 1996, targeting various global entities, including U.S. military and foreign ministries in Eastern Europe.
4. **Recent Disruptions:**
– The Five Eyes intelligence alliance recently disrupted Turla’s “Snake” malware botnet, which was used for widespread data theft.
5. **Method of Compromise:**
– Through monitoring, Lumen discovered that Turla utilized a command and control (C2) server displaying a “hak5 Cloud C2” banner, indicating a physical implant on an Indian government network.
– Strange network behaviors led to the identification of Turla operating within Storm-0156’s infrastructure, deploying various malware tools including TinyTurla, TwoDash, Statuezy, and MiniPocket.
6. **Targets of Turla’s Operations:**
– Turla primarily targeted Afghan government entities, such as the Ministry of Foreign Affairs and General Directorate of Intelligence.
– They gained access to sensitive malware tools and stolen data from Storm-0156, highlighting the vulnerabilities in nation-state groups’ security measures.
7. **Exploitation of Vulnerabilities:**
– Turla’s operations illustrate the ease with which they can exploit the vulnerabilities of other threat actors, given the lack of advanced security tools in their environments.
8. **Political Considerations:**
– Microsoft observed that Turla’s careful approach and limited use of Storm-0156’s backdoors may be influenced by political factors, especially while targeting sensitive governmental systems.
9. **Long-standing Strategy:**
– Turla has a history of employing strategies that involve the exploitation of other actors’ infrastructure for stealthy intelligence gathering, as demonstrated in past incidents involving other state-backed groups.
10. **Current Actions:**
– Lumen has initiated null-routing of all traffic from the known Turla command and control infrastructure over its network as a security measure.
This summary underscores Turla’s sophisticated approach to cyber-espionage and highlights the continuing evolution of threats in the cyber landscape.