Russian Cyber Spies Commandeer Pakistani Hackers’ Network in Audacious Double-Hack

Russian Cyber Spies Commandeer Pakistani Hackers' Network in Audacious Double-Hack

Russian cyber-espionage group Turla has been discovered hijacking Pakistani threat actor Storm-0156’s infrastructure to conduct covert attacks. The operation, tracked since January 2023 by Lumen’s Black Lotus Labs and Microsoft’s Threat Intelligence Team, began in December 2022.

Turla, linked to Russia’s FSB, accessed networks previously compromised by Storm-0156, including Afghan and Indian government organizations. They deployed various malware tools including:
– TinyTurla backdoor variant
– TwoDash backdoor
– Statuezy clipboard monitor
– MiniPocket downloader

Key targets included:
– Afghan Ministry of Foreign Affairs
– General Directorate of Intelligence
– Afghan government consulates
– Indian military and defense institutions

By mid-2023, Turla had infiltrated Storm-0156’s workstations, accessing their malware tools (CrimsonRAT and Wainscot) and stolen data. This strategy allows Turla to:
– Gather intelligence stealthily
– Avoid direct attribution
– Shift blame to other actors

This isn’t Turla’s first such operation – they previously exploited Iranian group OilRig’s infrastructure (2019) and Andromeda malware victims in Ukraine (2022). Lumen is now blocking all traffic from known command and control infrastructure on their network.

Share This Article