Russian Hackers Target Pakistani Servers to Obtain Indian and Afghan Intelligence

 

The Russia-affiliated APT group Turla has orchestrated a sophisticated infiltration of the command-and-control (C2) servers belonging to Storm-0156, a Pakistan-based hacking group. This covert activity, which began in December 2022, highlights Turla’s strategic method of embedding itself within other threat actors’ operations to obscure attribution and achieve its espionage goals.

Hijacking Infrastructure for Espionage

By mid-2023, Turla had taken control of several Storm-0156-compromised C2 servers. Using these servers, Turla deployed custom malware such as TwoDash and Statuezy to target Afghan government networks. While TwoDash serves as a downloader, Statuezy functions as a trojan that monitors clipboard activity on Windows systems. This allowed Turla to covertly access sensitive networks without initiating direct attacks, leveraging Storm-0156’s existing intrusions.

Microsoft’s Analysis of Broader Exploitation

According to Microsoft, Turla exploited Storm-0156’s infrastructure by deploying additional tools like the Crimson RAT and a stealth implant named Wainscot. This facilitated Turla’s spread across South Asian networks, enabling intelligence gathering from Afghanistan and India. By infiltrating Storm-0156’s operations, Turla accessed compromised workstations, valuable credentials, and stolen data.

Turla's tactics of hijacking other threat actors’ infrastructure have a historical precedent. In 2019, Turla leveraged Iranian APT infrastructure, while in 2023, it exploited the Andromeda malware network in Ukraine and the Tomiris backdoor in Kazakhstan. These operations reflect Turla’s preference for reducing its resource expenditure while maintaining effective cyber-espionage campaigns.

Strategic Escalation and Increased Sophistication

Turla’s recent campaign shows a significant escalation. By infiltrating Storm-0156’s operator workstations, Turla gained deep insights into Storm-0156’s tools and targets, including Afghan government networks and Indian defense entities. In March 2024, Turla utilized an earlier Crimson RAT infection to deploy TwoDash and a secondary downloader, MiniPocket, to retrieve additional malware.

This strategy of co-opting other hackers’ infrastructure allows Turla to access high-value targets while minimizing its exposure. However, the reliance on another group’s initial access means the collected intelligence might not always align with Turla’s primary goals.

Implications for Regional Security

Findings by Lumen Technologies’ Black Lotus Labs and Microsoft underscore Turla’s growing threat. By exploiting Storm-0156’s infrastructure, the Kremlin-backed group continues to demonstrate its adaptability and advanced espionage capabilities, posing a significant risk to cybersecurity in South Asia.