Sometimes hackers don’t even bother doing their own hacking and instead latch on to other hackers who they know have been successful in their attacks. One such Russia-linked Advance Persistent Threat(APT) group Turla(a.k.a Secret Blizzard) has been linked to a campaign that involved infiltrating the command and control(C2) servers of Pakistani hacker group Storm-o156 to conduct its own operations for the past two years. The intent seems to be to latch on to ongoing espionage campaigns being run by the latter against South-Asian government and military entities and steal information.
Turla has been linked to Russia’s Federal Security Service(FSB) and since December of 2022 has been embedded in Storm-0156’s C2s as well as individual workstations accessing sensitive information gathered from various Afghan government agencies, and Indian military and defense targets.
This parasitic behaviour is not new at all and hackers, even those linked to nation-states, often make easy pickings off of other hackers who usually don’t focus on their own defences as much as they do on their campaigns. This is due to the fact that not only do these hackers want to spend most of their time on offensive work to maximise returns, but also most of the tools available in the market are not reliable for them as proven by a recent instance of a group of hackers who tried experimenting with Palo-Alto’s XDR solution which allowed Palo Alto’s researchers a window into their operations.
Although it isn’t clear how Turla gained initial access to Storm-0156’s servers, speculations among researchers suggest that they identified the target nodes by monitoring public reports, much like a threat researcher would, and seeing what they can find a way to infiltrate.
Once it had infected the C2 servers and pivoted into most of their workstations, Turla had extensive visibility and control over Storm-0156’s tools, tactics, techniques and procedures(TTPs), and the data they had already stolen from victims.
In the case of the Afghan government entities, Turla dropped backdoors into their systems using the existing access that Storm-0156 had gained, allowing them to steal sensitive information directly. Victims included the Afghani Ministry of Foreign Affairs, the General Directorate of Intelligence (GDI), and foreign consulates.
In the case of Indian entities, Turla used a different tactic where instead of deploying their own backdoors and engaging with the data directly, they deployed the backdoors against Storm-0156 itself siphoning off sensitive records that were already being stolen by the Pakistanis. Victims included Indian military and defence entities.
This difference in tactics could reflect political considerations within the Russian leadership.