1. Deploy custom malware:
– TwoDash (downloader)
– Statuezy (clipboard monitoring trojan)
– MiniPocket (custom downloader)
2. Target specific networks:
– Afghan government entities
– Indian military and defense institutions
3. Leverage existing compromises:
– Utilized Storm-0156’s Crimson RAT infections
– Accessed exfiltrated data from previous campaigns
– Gained control of multiple C2 servers
This campaign follows Turla’s pattern of hijacking other threat actors’ infrastructure, with previous instances involving:
– Iranian APT OilRig (2019)
– ANDROMEDA malware infrastructure (2023)
– Kazakhstan-based Storm-0473’s Tomiris backdoor (2023)
The FSB-linked group successfully accessed Storm-0156 operator workstations, obtaining valuable intelligence about their tools, credentials, and collected data. This strategy allows Turla to gather intelligence while minimizing direct engagement with targets and complicating attribution efforts.