Russian-linked Turla caught using Pakistani APT infrastructure for espionage

A Russian cyber-espionage group with ties to the country’s Federal Security Service has been caught using networks associated with a Pakistani-based APT group. This operation marks the fourth recorded incident since 2019 where the Russian group, known commonly as Turla, has embedded themselves within another threat actor’s operations.

The reports, released Wednesday by Microsoft’s Threat Intelligence Center and Lumen’s Black Lotus Labs, finds that the Russian group, which researchers refer to as Secret Blizzard, gained initial access to one of the Pakistani group’s command-and-control (C2) servers in December 2022. By mid-2023, they had extended control to numerous C2 nodes associated with the Pakistani actor. 

Referred to in the reports as Storm-0156, the Pakistani group has also been previously identified as “SideCopy,” “Transparent Tribe” and APT-36. The group is primarily known for its focus on espionage, targeting government and military infrastructures, particularly in India and Afghanistan.

The operations carried out by Secret Blizzard since November 2022 reveal a coordinated effort to compromise Storm-0156’s command-and-control infrastructure. Despite the unknown initial access mechanisms, Microsoft found that Secret Blizzard effectively used Storm-0156 backdoors to deploy their own backdoors, known as “TwoDash” and “Statuezy,” within Afghanistan’s government networks, including its Ministry of Foreign Affairs and the General Directorate of Intelligence.

In India, Microsoft says Secret Blizzard focused on deploying tools on servers hosting data exfiltrated from Indian military networks. Observations suggest a singular instance where the TwoDash backdoor was directly deployed to a desktop in India, indicating possible differences in political directives or operational priorities. 

Black Lotus Labs found that by April 2023, the Russian group had used its backdoors to infiltrate the workstations of Pakistani operators, potentially obtaining a wealth of operational data, including insights into the Pakistani actor’s tools, network credentials, and exfiltrated data.

As operations progressed into mid-2024, Turla expanded its use of other malware families, namely Wasicot and CrimsonRAT, which they appropriated from the Pakistani intrusions. CrimsonRAT has notably been employed in past operations against Indian government institutions.

Turla’s work in this particular instance highlights an audacious — yet increasingly common — strategy employed by the group. Unlike other Russian espionage groups that use their own tooling to mask their identity, Turla uses the infrastructure of other cyber threat actors to indirectly gather intelligence. This status quo not only provides them with sensitive information but strategically obscures their involvement, as incident response efforts may mistakenly attribute the compromises to other groups.

“We’ve seen those highly-skilled espionage actors who can work through cutouts [and] will do that whenever they can,” said Ryan English, an engineer with Black Lotus Labs. “I think Secret Blizzard is patient enough and skilled enough to look for those opportunities. It certainly can benefit any group that has the ability to [use other groups’ infrastructure], but in practice, it is harder than it looks.”

Over the past three years, there have been numerous research reports that tie APT-36 to the particular type of targets highlighted in Microsoft’s and Lumen’s report. 

Both Lumen and Microsoft’s Threat Intelligence Center are actively participating in ongoing efforts to track and mitigate Turla. Lumen has enforced preventative measures by severing traffic to and from known hostile IP addresses tied to the malicious activity of both Turla and APT-36. The research also contains indicators of compromise, which have been incorporated into its threat intelligence feeds.

Turla has been active for over a decade, targeting government, military, and research organizations, often focusing on entities in Europe and former Soviet states. The group is linked to a series of high-profile cyberattacks involving complex malware tools, such as “Snake,” which it uses to conduct intelligence-gathering operations.

You can read the full reports on Lumen’s and Microsoft’s respective websites.