Russian Hackers Hijack Pakistani Cyber Group’s Network to Launch Stealth Attacks on Afghanistan and India

Russian Hackers Hijack Pakistani Cyber Group's Network to Launch Stealth Attacks on Afghanistan and India

Russian APT group Turla (aka Secret Blizzard) has been discovered infiltrating the command-and-control (C2) servers of Pakistani hacking group Storm-0156 since December 2022. This sophisticated operation allowed Turla to:

1. Deploy custom malware:
– TwoDash (downloader)
– Statuezy (clipboard monitoring trojan)
– MiniPocket (custom downloader)

2. Target specific networks:
– Afghan government entities
– Indian military and defense institutions

3. Leverage existing compromises:
– Utilized Storm-0156’s Crimson RAT infections
– Accessed exfiltrated data from previous campaigns
– Gained control of multiple C2 servers

This campaign follows Turla’s pattern of hijacking other threat actors’ infrastructure, with previous instances involving:
– Iranian APT OilRig (2019)
– ANDROMEDA malware infrastructure (2023)
– Kazakhstan-based Storm-0473’s Tomiris backdoor (2023)

The FSB-linked group successfully accessed Storm-0156 operator workstations, obtaining valuable intelligence about their tools, credentials, and collected data. This strategy allows Turla to gather intelligence while minimizing direct engagement with targets and complicating attribution efforts.

Share This Article