5 December 2024

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign


Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Lumen’s Black Lotus Labs has uncovered a sophisticated espionage campaign orchestrated by the Russian-based threat actor the researchers track as “Secret Blizzard,” also known as Turla. The group, linked to the Russian Federal Security Service (FSB), has infiltrated the command-and-control (C2) infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.

According to Black Lotus Labs, Secret Blizzard successfully breached 33 C2 nodes operated by Storm-0156, a group publicly associated with the espionage-focused clusters SideCopy and Transparent Tribe. The campaign, spanning two years, is the fourth recorded instance of Secret Blizzard infiltrating another threat actor’s operations.

The operation began in December 2022, when Secret Blizzard gained initial access to a Storm-0156 C2 server. By mid-2023, the group had expanded its control, leveraging the infrastructure to deploy its malware, TwoDash and Statuezy, against networks linked to Afghan government entities. By April 2023, the Russian group had infiltrated workstations of Pakistani-based Storm-0156 operators, obtaining sensitive data, including credentials, tooling insights, and exfiltrated information from prior operations.

By mid-2024, Secret Blizzard further escalated its campaign, repurposing two additional malware families, Waiscot and CrimsonRAT. The latter, previously deployed against Indian government and military targets, was used to extract data from prior campaigns conducted by Storm-0156.

Black Lotus Labs, in collaboration with Microsoft threat hunters, observed Turla's interactions with a subset of CrimsonRAT C2 nodes. Interestingly, Turla engaged with only seven out of the available nodes.

“This selective engagement implies that, while they had the capability to access all nodes, their tool deployment was strategically limited to those associated with the highest priority targets in India,” Black Lotus Labs said.

Microsoft’s separate analysis reveals how Turla has systematically infiltrated the infrastructure of at least six state-sponsored and criminal hacking groups since 2017. These include Iranian (Hazel Sandstorm), Kazakhstani (Storm-0473), and other unnamed actors.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025