In a recent cyber-espionage revelation, the infamous Russian hacking group Turla, also known as “Secret Blizzard,” has been identified for their sophisticated tactic of hijacking the infrastructure of a Pakistani threat actor, Storm-0156, to carry out their own covert operations on already compromised networks. Through this deceptive strategy, Turla managed to gain access to networks previously breached by Storm-0156 in organizations such as the Afghan and Indian government entities, utilizing their malware tools to infiltrate further.
According to a detailed report by Lumen’s Black Lotus Labs, in collaboration with Microsoft’s Threat Intelligence Team, the covert operation orchestrated by Turla has been in progress since December 2022, uncovering a complex web of cyber-espionage activities. Turla, a Russian state-sponsored hacking group associated with Center 16 of Russia’s Federal Security Service (FSB), has a long history of conducting clandestine cyber-attacks targeting various government bodies, organizations, and research institutions globally since the mid-1990s.
The modus operandi of Turla, characterized by stealthy data theft and leveraging the vulnerabilities of other threat actors, was brought to light through the monitoring of Storm-0156’s activities by Lumen researchers. The infiltration of Storm-0156’s network by Turla was detected through anomalous network behavior, leading to the identification of malware payloads deployed by the Russian hackers, including backdoor variants and data retrieval tools.
Furthermore, Turla’s incursion into Storm-0156’s infrastructure extended to the exploitation of the Pakistani threat actor’s workstations, enabling access to valuable data such as malware tools and stolen credentials. This breach not only revealed the vulnerabilities within threat actor environments but also highlighted the challenges faced by nation-state groups and cybercriminals in protecting their systems against sophisticated attacks.
Microsoft’s analysis of the situation indicated that Turla’s targeted deployment of backdoors on specific servers utilized by Storm-0156 for hosting stolen data from Indian military and defense entities suggested a calculated approach possibly influenced by political considerations. The intricate web of operations orchestrated by Turla within Storm-0156’s infrastructure underscored the hacker group’s adeptness at leveraging existing vulnerabilities to advance their espionage objectives.
Turla’s reputation as the “hacker of hackers” has been reinforced by their history of exploiting other actors’ infrastructures to gather intelligence covertly while evading detection and attribution efforts. This strategic approach of leveraging the networks and tools of other threat groups for their operations has been a hallmark of Turla’s operations, as evidenced by past instances of collaboration with Iranian and Ukrainian threat actors for their cyber-espionage activities.
In light of these revelations, cybersecurity experts have emphasized the importance of robust security measures and threat intelligence monitoring to detect and mitigate the evolving tactics employed by sophisticated threat actors like Turla. The continuous cat-and-mouse game in the cyber realm underscores the need for vigilance and collaboration among stakeholders to safeguard critical infrastructure and sensitive data from malicious actors seeking to exploit vulnerabilities for their nefarious purposes.