Full Report
Both Microsoft and Lumen’s BlackLotus Labs found Turla spying on Afghanistan and India via Pakistani infrastructure. The post Russian-linked Turla caught using Pakistani APT infrastructure for espionage appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Secret Blizzard (Turla)
## Attribution & Identity
**Primary Actor:** Secret Blizzard (Russian cyber-espionage group, frequently referred to as Turla).
**Alleged Affiliation:** Ties to Russia’s Federal Security Service (FSB).
**Operational Strategy:** Known for using the infrastructure of other threat actors (cutouts) to obscure its own involvement and gather intelligence. This marks the fourth recorded incident since 2019 where Turla has embedded itself within another group's operation.
**Associated Groups (Victim/C2 Provider):** Storm-0156 (also known as SideCopy, Transparent Tribe, APT-36), a Pakistani-based APT group.
## Activity Summary
Secret Blizzard gained initial access to a command-and-control (C2) server belonging to Storm-0156 in December 2022. By mid-2023, they extended control across numerous Storm-0156 C2 nodes. The primary objective appears to be espionage, leveraging the compromised infrastructure to target networks in Afghanistan and India. This involved deploying their own backdoors onto the compromised C2 infrastructure and subsequently utilizing it to breach Afghan government networks. Furthermore, Secret Blizzard infiltrated the workstations of Pakistani operators (Storm-0156) by April 2023, likely obtaining operational data, network credentials, and insights into exfiltrated data. By mid-2024, they began deploying malware families appropriated from the Pakistani intrusions for their own purposes.
## Tactics, Techniques & Procedures
- **Initial Access:** Gained access to Storm-0156 C2 servers (initial access mechanisms unknown).
- **Command and Control (C2) Hijacking:** Compromised and extended control over numerous C2 nodes belonging to Storm-0156.
- **Lateral Movement/Deployment:** Used Storm-0156 backdoors to deploy their own custom malware.
- **Intelligence Gathering:** Infiltrated operator workstations to harvest operational data, credentials, and intelligence about the victim group’s activities.
- **Obfuscation:** Employing established actor infrastructure (Storm-0156) as a cutout to mask involvement, contrasting with other Turla activities that use proprietary tools for masking.
- [No specific MITRE ATT&CK IDs were provided in the source material.]
## Targeting
**Sectors:** Government, Military infrastructure, Foreign Affairs organizations.
**Geography:** Afghanistan (targets included Ministry of Foreign Affairs and the General Directorate of Intelligence); India (focus on servers hosting data exfiltrated from military networks); Pakistan (infiltrating operator workstations).
**Victims:** Afghanistan's Ministry of Foreign Affairs, Afghanistan’s General Directorate of Intelligence, Indian military networks (data hosting servers), Workstations of Pakistani Storm-0156 operators.
## Tools & Infrastructure
**Malware Families Used by Secret Blizzard/Turla:**
* **TwoDash:** Custom backdoor deployed in Afghan government networks.
* **Statuezy:** Custom backdoor deployed in Afghan government networks.
* **Wasicot:** Malware family appropriated from the Storm-0156 intrusion.
* **CrimsonRAT:** Appropriated from the intrusion; previously used against Indian government institutions.
**Infrastructure:** Utilized and extended control over the C2 infrastructure belonging to the Pakistani group Storm-0156.
## Implications
Secret Blizzard/Turla employs a sophisticated and patient strategy by co-opting the infrastructure of other established threat actors. This technique significantly complicates attribution efforts, as security teams investigating compromises may mistakenly attribute the activity to the cutout group (Storm-0156) instead of the actual perpetrator (Turla/Secret Blizzard). This grants Turla access to sensitive intelligence while providing a high degree of operational security.
## Mitigations
- **Infrastructure Isolation:** Actively monitor and sever traffic to and from known hostile IP addresses associated with compromised infrastructure or suspected threat actor C2s (as implemented by Lumen).
- **Threat Intelligence Incorporation:** Integrate IOCs related to both actors (Secret Blizzard and Storm-0156) into threat intelligence feeds.
- **Specific Tool Detection:** Implement detection mechanisms for known Turla tools like TwoDash, Statuezy, Wasicot, and CrimsonRAT, as well as any bespoke backdoors deployed by Storm-0156 that have been subsequently modified.
- **Advanced Attribution Analysis:** Employ deep-dive analysis techniques to determine the true origin of complex cyber espionage operations that utilize third-party infrastructure.