A persistent Russian cyber-espionage faction, Turla, affiliated with the Federal Security Service, has been identified infiltrating Pakistani APT networks. This sophisticated maneuver, spanning from December 2022 to mid-2023, represents the fourth instance of Turla integrating into another threat actor’s operations since 2019. The group has leveraged Pakistani command-and-control servers to expand its reach, targeting government and military infrastructures in Afghanistan and India.
Turla’s strategy showcases a continued trend of cyber espionage collaboration, where established tactics are employed to penetrate sensitive networks. Previous investigations have linked Turla to various high-profile cyberattacks, emphasizing their longstanding presence in the espionage landscape.
How Did Turla Gain Access to Pakistani APT Infrastructure?
According to reports from Microsoft’s Threat Intelligence Center and Lumen’s Black Lotus Labs, Turla initially accessed a Pakistani command-and-control server in December 2022. By mid-2023, their control extended to multiple C2 nodes associated with Storm-0156, also known as APT-36. This access allowed Turla to deploy their own malware, including “TwoDash” and “Statuezy,” within Afghan government networks.
What Impact Did Turla’s Operations Have on Targeted Networks?
Turla’s deployment of backdoors in Afghanistan’s Ministry of Foreign Affairs and the General Directorate of Intelligence facilitated unauthorized access to sensitive data. In India, their tools were used to infiltrate servers housing exfiltrated military data. Notably, the TwoDash backdoor was deployed directly to an Indian desktop, indicating targeted espionage activities.
How Are Security Firms Responding to Turla’s Tactics?
“We’ve seen those highly-skilled espionage actors who can work through cutouts [and] will do that whenever they can,” said Ryan English, an engineer with Black Lotus Labs. “I think Secret Blizzard is patient enough and skilled enough to look for those opportunities. It certainly can benefit any group that has the ability to [use other groups’ infrastructure], but in practice, it is harder than it looks.”
In response, Lumen has implemented measures to block traffic to known hostile IP addresses linked to Turla and APT-36. Microsoft and Lumen continue to update their threat intelligence feeds with indicators of compromise to aid in mitigating future breaches.
Turla’s infiltration methods highlight a strategic shift towards using existing threat actor infrastructures to mask their activities. This approach not only diversifies their intelligence-gathering capabilities but also complicates attribution efforts during incident responses, making it challenging to identify the true source of cyberattacks.
The integration of Pakistani APT networks by Turla underscores the evolving landscape of cyber espionage, where collaboration between different threat actors enhances the effectiveness and stealth of operations. Organizations should remain vigilant and adopt comprehensive security measures to counter such sophisticated infiltration techniques.
- Turla exploited Pakistani APT networks for espionage operations.
- The group deployed malware in Afghan and Indian government systems.
- Security firms are actively blocking and tracking Turla’s activities.
