Spy v Spy: Russian APT Turla Caught Stealing From Pakistani APT

2 weeks ago 7
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

In an extraordinary case of digital espionage, Russian hackers spent nearly two years secretly controlling the computer systems of Pakistani cyberspies, gaining access to sensitive government networks across South Asia, according to research released Wednesday by Lumen’s Black Lotus Labs.

The Russian hacking operation, known as Turla or Secret Blizzard, commandeered 33 command servers operated by Pakistani hackers who had themselves breached Afghan and Indian government targets, sometimes using commercially available Hak5 pentest hardware devices.

According to Black Lotus Labs, the Russian hackers broke into command-and-control (C2) servers used by a Pakistani APT tracked as Storm-0156 and used that access to launch their own malware and hijack sensitive data.

“This latest campaign, spanning the last two years, is the fourth recorded case of [Turla] embedding themselves in another group’s operations since 2019 when they were first seen repurposing the C2s of an Iranian threat group,” the researchers said. Last year, Turla was also caught using legacy Andromeda malware likely deployed by other hackers to target Ukraine organizations.

Turla, an aggressive Russian APT that targets embassies and government offices around the world, was also observed taking control of a Hak5 Cloud C2 node, a platform designed for legitimate penetration testing but leveraged here for espionage. 

The Pakistani group had been deploying physical hacking tools – commercially available Hak5 devices – to breach Indian government offices, including its Ministry of Foreign Affairs, before the Russians took control of their operation.

In late 2022, Black Lotus Labs researchers say the Russian group capitalized on Storm-0156 existing footholds in Afghan government networks and Pakistani operators’ workstations. From this vantage point, Turla deployed proprietary malware (tagged as TwoDash and Statuezy), exfiltrating data ranging from credentials to files collected by the Pakistani operators.

“Through this channel, they potentially acquired a wealth of data. This bounty included insights into Storm-0156’s tooling, credentials for both C2s and targeted networks, as well as exfiltrated data collected from prior operations,” the researchers noted.

Advertisement. Scroll to continue reading.

Black Lotus Labs said Storm-0156 has historically targeted Indian and Afghan government networks and noted that Turla’s move into the Pakistani operator workstations is evidence of how APT operators hide their tracks and muddy attempts at attribution. 

By mid-2024, Black Lotus Labs said, Turla had expanded their focus to include the use of two other malware (Wasicot and CrimsonRAT) that were appropriated from the Pakistani workstations. CrimsonRAT was previously found in use against government and military targets in India and the researchers found that Turla later took advantage of their access to gather data from prior deployments of the malware.

“[There is] one characteristic that distinguishes this group more than any other: their audacity in exploiting other threat actors’ C2 servers for their own purposes,” Black Lotus Labs warned, noting that the strategy allows the Turla operators to remotely acquire sensitive files that were previously exfiltrated from compromised networks, without employing (and possibly exposing) their own tools.

“In scenarios where the other threat actors have not acquired all the data of interest on their targets, they can search the data collected onC2 nodes for stolen authentication materials to gain access or use existing access to expand collection and deploy their agents into a network,” the company added.

While monitoring Turla’s interactions with the commandeered Storm-0156 C2 nodes, Black Lotus Labs said it identified beaconing activity from various Afghan government networks that Storm-0156 threat actors had previously compromised. 

The researchers, working alongside threat hunters at Microsoft, observed Turla interactions with a subset of CrimsonRAT C2 nodes, which had previously been used to target the Indian government and military. 

Notably, Black Lotus Labs said Turla only engaged with seven CrimsonRAT C2s, even though several more were available. “This selective engagement implies that, while they had the capability to access all nodes, their tool deployment was strategically limited to those associated with the highest priority targets in India.”

UPDATE – December 4, 2024: A separate report from Microsoft documents how the Russian FSB hacking group Turla (tracked as Secret Blizzard) has systematically infiltrated and hijacked the infrastructure of at least six different state-sponsored and criminal hacking groups since 2017. Redmond explained that this fits Turla’s established pattern, having previously taken over Iranian (Hazel Sandstorm), Kazakhstani (Storm-0473), and other threat actors’ infrastructure. Microsoft’s analysis suggests this “spy-on-spy” approach is a deliberate strategy by the FSB to conduct espionage while hiding their activities behind other hackers’ operations.

Related: Russian Turla Cyberspies Target Polish NGOs With New Backdoor

Related: Russian Turla APT Leveraged Other Hackers’ USB-Delivered Malware

Related: New Android Spyware Uses Turla-Linked Infrastructure

Related: Russia-Linked Turla APT Uses New Backdoor in Latest Attacks

Read Entire Article