The Russian-linked Advanced Persistent Threat Group (APT), known as Tower was linked to a previously undocumented campaign that involved infiltrating the command and control (C2) servers of a Pakistani hacker group called Storm-0156 to conduct its own operations from 2022.
The activity, first seen in December 2022, is the latest case of an adversary nation-state “embedding itself” in another group’s malicious operations to further its own goals and cloud attribution efforts, Lumen Technologies’ Black Lotus Labs said.
“In December 2022, Secret Blizzard initially gained access to the Storm-0156 C2 server and by mid-2023 had extended its control to a number of C2s associated with the Storm-0156 actor,” the company said in a statement. said in a report shared with The Hacker News.
Using their access to these servers, Turla was found to be taking advantage of intrusions already orchestrated by Storm-0156 to deploy its own malware, which is tracked as TwoDash and Statuezy in a select number of networks associated with various Afghan government entities. TwoDash is a custom bootloader, while Statuezy is a Trojan that monitors and logs data stored on the Windows clipboard.
Microsoft’s Threat Intelligence team, which also released its findings to the company, said Turla used infrastructure tied to Storm-0156 that overlaps with clusters of activity tracked as SideCopy and Transparent tribe.
“Blizzard’s classified command-and-control (C2) traffic originated from Storm-0156’s infrastructure, including infrastructure used by Storm-0156 to match stolen data from companies in Afghanistan and India,” Microsoft. said in a coordinated report shared with the publication.
Turla, also known by the names Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear and Waterbug, is believed to be linked to Russia’s Federal Security Service (FSB).
In operation for nearly 30 years, the threat actor operates a a diverse and complex toolkitincluding Snake, ComRAT, Carbon, A crutch, Caused, HyperStack (aka BigBoss), and TinyTurla. It is primarily aimed at government, diplomatic and military organizations.
The group also has a history of hijacking the infrastructure of other threat actors for its own purposes. In October 2019 UK National Cyber Security Center (NCSC) revealed Turla’s use of Iranian threat actor backdoors to advance its own intelligence needs.
“Turla accessed and used the command and control (C2) infrastructure of Iranian APTs to deploy their own tools to their victims of interest,” the NCSC said at the time.
Then in January 2023, Google-owned Mandiant noted that Turla used the attack infrastructure used by a commercial malware called ANDROMEDA to deliver its own intelligence and backdoor tools to targets in Ukraine.
The third instance where Turla repurposed another attacker’s tool was documented Kaspersky in April 2023, when the Tomiris backdoor, attributed to a Kazakh threat actor tracked as Storm-0473, was used to deploy QUIETCANARY in September 2022.
“The frequency of Secret Blizzard operations to co-opt or control the infrastructure or tools of other threat actors suggests that this is a deliberate component of Secret Blizzard’s tactics and methods,” Microsoft said.
The latest attack campaign discovered by Black Lotus Labs and Microsoft shows that the attacker used Storm-0156 C2 servers to deploy backdoors on Afghan government devices, while in India they targeted C2 servers hosting stolen data from the Indian military and defense institutions.
The compromise of Storm-0156 C2 servers also allowed Turla to capture the former’s backdoors, such as A crimson RAT and a previously undocumented Golang implant called Wainscot. Black Lotus Labs told The Hacker News that it is currently unknown how the servers were compromised.
“This allows Secret Blizzard to gather intelligence on Storm-0156 targets of interest in South Asia without targeting those organizations directly,” Microsoft said.
“Taking advantage of others’ companies allows Secret Blizzard to establish itself in interesting networks with relatively minimal effort. However, because these initial footholds are established on targets of interest to other threat actors, the information obtained through this method may not fully match Secret Blizzard’s Collection Priorities.”
