Full Report
The Russia-linked advanced persistent threat (APT) group known as Turla has been linked to a previously undocumented campaign that involved infiltrating the command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022. The activity, first observed in December 2022, is the latest instance of the nation-state adversary "embedding
Analysis Summary
# Threat Actor: Turla (Secret Blizzard)
## Attribution & Identity
* **Attribution:** Russia-linked Advanced Persistent Threat (APT) group, assessed to be affiliated with Russia's Federal Security Service (FSB).
* **Known Aliases:** Blue Python, Iron Hunter, Pensive Ursa, **Secret Blizzard** (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug.
* **Associated Groups/Infrastructure Used:** Has been documented "embedding themselves" in the operations of other threat actors, notably **Storm-0156** (Pakistan-based group), OilRig (Iranian APT), and using infrastructure associated with SideCopy and Transparent Tribe.
## Activity Summary
Turla (Secret Blizzard) has been conducting a previously undocumented campaign since at least December 2022 involving infiltrating the Command-and-Control (C2) servers of the Pakistan-based hacking group Storm-0156. Turla expanded control over Storm-0156 C2s by mid-2023 to leverage their existing intrusions. They used the compromised infrastructure to deploy custom malware onto networks related to various Afghan government entities. Turla also accessed and used the C2 infrastructure of Iranian APTs (like OilRig) in past operations (2019). They also piggybacked on attack infrastructure used by the commodity malware ANDROMEDA (2023) and utilized the Tomiris backdoor attributed to Storm-0473 (2023).
## Tactics, Techniques & Procedures
* **Infrastructure Hijacking/Co-option:** Intentional component of tactics involving gaining access to and utilizing other threat actors' C2 infrastructure (Storm-0156, Iranian APTs) to advance objectives and cloud attribution.
* **Lateral Movement:** Abusing trust relationships on Storm-0156 operator workstations to gain intelligence regarding tooling, C2 credentials, and exfiltrated data.
* **Deployment Chain:** Leveraging existing infections (e.g., a Crimson RAT infection established by Storm-0156 in March 2024) to download and execute their custom malware in August 2024.
* **Data Collection:** Monitoring and logging data saved to the Windows clipboard.
* **Tool Chaining:** Deploying custom downloaders to fetch secondary stage binaries.
* **Specific TTPs Mentioned:**
* Deployment of custom malware (*TwoDash*, *Statuezy*).
* Use of *MiniPocket* downloader connecting via hard-coded IP/port using TCP to retrieve and run second-stage binaries.
* Commandeering Storm-0156 backdoors like *Crimson RAT* and an undocumented Golang implant called *Wainscot*.
## Targeting
* **Sectors:** Government, diplomatic, and military organizations (historically). In the recent campaign: Afghan government entities; Indian military and defense-related institutions (via C2 data exfiltration servers).
* **Geography:** Targeted victims observed in Afghanistan and India (via Storm-0156 infrastructure).
* **Victims:** Specific networks related to various **Afghan government entities**. C2 servers implicated in collecting exfiltrated data from **Indian military and defense-related institutions**.
## Tools & Infrastructure
* **Malware Families Used:**
* **Custom Malware:** *TwoDash* (bespoke downloader), *Statuezy* (clipboard monitoring trojan).
* **Secondary Downloaders:** *MiniPocket*.
* **Commandeered/Reused Tools:** *Crimson RAT*, *Wainscot* (undocumented Golang implant).
* **Historical Toolset:** Snake, ComRAT, Carbon, Crutch, Kazuar, HyperStack (BigBoss), and TinyTurla.
* **Infrastructure:** Utilizing compromised C2 infrastructure belonging to Storm-0156. C2 traffic observed emanating from this infrastructure. (No specific de-fanged IPs/domains provided for Turla's observed C2s, only for MiniPocket [hard-coded]).
## Implications
Turla's decades-long history demonstrates a sophisticated, patient, and adaptive approach, characterized by an intentional pattern of hijacking infrastructure and tools from other threat actors (Russian, Iranian, Pakistani, or otherwise). This technique allows Turla (Secret Blizzard) to establish footholds on networks of interest with minimal direct effort, enabling intelligence collection pertaining to targets in South Asia (Afghanistan/India) without directly targeting them, although the resulting intelligence may not perfectly align with their own collection priorities. This strategy significantly complicates attribution.
## Mitigations
* Implement robust network monitoring to detect lateral movement and command-and-control beaconing originating from or destined for infrastructure associated with known threat actors (Storm-0156, Transparent Tribe).
* Review security posture concerning supply chain risks inherent in using third-party infrastructure or tools that might be compromised by APT groups.
* Strengthen access controls and audit trust relationships, particularly those related to C2 operators, to prevent abuse and credential theft.
* Implement endpoint detection focusing on system activity related to established commodity malware (like Crimson RAT) that Turla might use as an initial access vector for subsequent payload deployment.