In the labyrinth of cyber espionage, few actors are as enigmatic and resourceful as Turla, a Russia-linked Advanced Persistent Threat (APT) group with a history spanning nearly three decades. Known for their stealthy and innovative approaches, Turla continues to raise the bar for nation-state cyber operations.

Their latest campaign, unveiled by Lumen Technologies Black Lotus Labs, reveals an extraordinary feat of infiltration: hijacking the command-and-control (C2) infrastructure of Storm-0156, a Pakistan-based hacking group, to expand their espionage activities. This meticulously planned operation exemplifies Turla's strategy of embedding themselves within other threat actors’ operations, obscuring attribution while achieving their objectives with minimal effort.

Unveiling the Campaign: Turla and Storm-0156

In December 2022, Turla gained access to a C2 server operated by Storm-0156. Over the following months, they extended their control to multiple servers associated with the group, exploiting this infrastructure to deploy their proprietary malware tools.

What Sets Turla Apart: A Unique Blend of Strategy and Innovation

Turla’s success in the cyber espionage landscape is not just a result of sophisticated malware or advanced tools—it’s their operational philosophy that truly sets them apart. Unlike many other APT groups that rely on brute-force infiltration or continuous deployment of new tools, Turla focuses on strategic infiltration, resource efficiency, and camouflaged operations.

Infrastructure Hijacking as a Core Tactic

Most APT groups create and maintain their own command-and-control (C2) infrastructure, which requires significant resources and exposes their activities. Turla, however, leverages existing infrastructures—often of other threat actors. This is not just opportunistic but a calculated move to:

• Reduce Operational Costs: By piggybacking on others’ systems, Turla minimizes the need for their own infrastructure.
• Evade Detection: Security teams often attribute malicious activity to the original operators of the compromised infrastructure, allowing Turla to operate undetected.
• Blend Into the Noise: Operating within established malicious ecosystems makes distinguishing Turla's activities extremely challenging.

This tactic of “shadowing” other threat actors is rare and requires an unparalleled understanding of adversaries’ tools, techniques, and procedures (TTPs).

Precision Targeting and Patience

Turla’s campaigns are rarely “spray-and-pray” operations. They are characterized by:

• Selective Targeting: Focusing on high-value entities like government agencies, military institutions, and diplomatic bodies.
• Long-Term Persistence: Turla doesn’t rush its operations. They patiently infiltrate networks, often remaining undetected for years, collecting data, and waiting for the perfect moment to strike.

This patience is evident in their hijacking campaigns. For example, in their 2022-2023 campaign against Storm-0156, Turla spent months silently expanding control over C2 servers before deploying their tools.

Adaptability in Adversarial Environments

Few groups exhibit Turla’s ability to adapt to shifting geopolitical and technological landscapes. They have mastered the art of operational camouflage, ensuring their techniques evolve faster than defenders can respond.

• Co-opting Diverse Tools: From commodity malware like ANDROMEDA to custom implants like QUIETCANARY and TwoDash, Turla’s ability to repurpose and integrate tools from various sources is unmatched.
• Cross-Border Collaboration (or Exploitation): Turla doesn’t operate in isolation. By hijacking operations of groups like OilRig (Iran) or Storm-0156 (Pakistan), they demonstrate a deep understanding of international cybercriminal ecosystems and how to exploit them.

Psychological Warfare Through Misattribution

A critical aspect of Turla's operations is their psychological manipulation of cybersecurity teams. By embedding their campaigns within those of other APTs, they:

• Create Attribution Confusion: Analysts often struggle to distinguish Turla’s activities from those of the compromised actors, leading to delays in countermeasures.
• Undermine Confidence in Defenders: The complexity of Turla’s operations can create frustration and hesitation among cybersecurity teams, especially when victims believe they’re dealing with one threat actor while another pulls the strings.

Multifaceted Toolset with a Human Touch

While Turla’s technical arsenal is impressive—featuring tools like Snake, ComRAT, Kazuar, and Statuezy—it is their human operators that truly make the difference.

• Deep Reconnaissance: Turla’s operators meticulously study their targets, crafting malware and strategies tailored to specific networks and vulnerabilities.
• Manual Adjustments: Unlike fully automated campaigns, Turla often makes real-time adjustments, indicating a high level of expertise and situational awareness.

A Legacy of Innovation

What truly makes Turla unique is their ability to challenge conventional wisdom in cybersecurity. They have repeatedly shown that cyber warfare is not just about technology but also about strategy, deception, and adaptability. Their campaigns blur the lines between threat actors, creating a new paradigm where attribution becomes a battle of wits.

As cyber defenders, understanding Turla’s unique operational philosophy is crucial to building robust defenses. Turla isn’t just a threat actor—they are a masterclass in how to turn the rules of cyber warfare on their head.

Key Elements of the Campaign

Compromised Infrastructure

Turla’s initial access to Storm-0156’s servers allowed them to manipulate the group’s existing operations. By August 2024, Turla was deploying tools like: TwoDash: A custom downloader used to deliver secondary payloads. Statuezy: A trojan capable of monitoring clipboard data, enabling sensitive information harvesting. Through Storm-0156’s compromised servers, Turla infiltrated Afghan government networks and targeted Indian defense institutions, demonstrating their focus on South Asia.

Hijacked Backdoors

Turla commandeered backdoors like Crimson RAT, a well-known malware tool used by Storm-0156, alongside a newly discovered Golang implant dubbed Wainscot.

Lateral Movement

Perhaps the most alarming aspect was Turla’s lateral movement into the operator’s workstation, where they gained access to:

• Tooling and C2 credentials
• Exfiltrated data from prior operations This escalation allowed Turla to monitor Storm-0156’s activities and indirectly collect intelligence on the latter's targets of interest without exposing their own resources.

What is Command and Control (C2) in Cybersecurity?

Command and Control (C2) refers to the infrastructure attackers use to manage and sustain communication with malware deployed on compromised systems or networks. It serves as the operational hub for cyberattacks, enabling threat actors to issue commands, exfiltrate data, and monitor their malicious activities in real time. At its core, a C2 infrastructure comprises a central server controlled by the attacker, communication channels (such as HTTP, HTTPS, or DNS), and infected systems (often called bots or zombies) that execute the received instructions. The C2 infrastructure allows attackers to perform critical functions, such as issuing commands to collect sensitive information, deploying additional malware payloads, or maintaining persistence on compromised networks.

C2 systems can operate using centralized architectures, where infected devices communicate with a single server, or decentralized setups, like peer-to-peer networks, which enhance resilience against takedowns. Advanced techniques, such as domain generation algorithms (DGA), further obfuscate C2 communications by generating random domain names for malware to connect with, making detection and blocking more difficult. Defenders often rely on network monitoring, behavioral analysis, and threat intelligence to identify C2 traffic. Techniques like sinkholing—redirecting malicious traffic to controlled environments—are also employed to neutralize these infrastructures. Understanding C2 is vital in cybersecurity, as disrupting it can dismantle an attacker’s ability to execute and sustain their operations.

The Turla Playbook: A History of Hijacking

Turla’s modus operandi of hijacking other groups’ infrastructure has become a hallmark of their operations, providing cost-effective and low-risk ways to achieve their goals.

Past Operations

Iranian APTs (OilRig)

2019: Turla exploited the C2 infrastructure of Iranian threat actors, deploying their tools onto shared victims. Outcome: A clever misdirection tactic that disguised their operations as those of Iranian actors.

Commodity Malware (ANDROMEDA)

January 2023: Turla used ANDROMEDA’s attack infrastructure to deploy reconnaissance tools and backdoors in Ukraine.

Kazakhstan-based Tomiris Backdoor

September 2022: Leveraged the Tomiris backdoor to deploy QUIETCANARY, collecting intelligence on Central Asian targets. This track record underlines Turla’s ability to adapt, innovate, and thrive in the cyber espionage domain.

Implications of Turla’s Strategy

Obfuscated Attribution

By embedding their operations within other threat actors’ infrastructure, Turla creates a smokescreen that confuses attribution efforts. Security analysts often mistake their activities for those of the hijacked group, delaying response and mitigation.

Enhanced Intelligence Collection

Hijacking infrastructure provides Turla with immediate access to valuable intelligence gathered by other actors, broadening their operational scope with minimal effort.

Broader Geopolitical Reach

The latest campaign underscores Turla’s increasing focus on South Asia, especially:

• Afghan governmental entities
• Indian military and defense-related institutions By piggybacking on Storm-0156’s operations, Turla gains a foothold in high-value networks without revealing their direct involvement.

Defensive Challenges and Recommendations

Why Turla’s Methods Are Effective

• Sophistication of Tools: Tools like TwoDash and Statuezy are designed to remain undetected while performing highly targeted espionage.
• Co-opting Existing Campaigns: By exploiting other APT groups’ operations, Turla circumvents many traditional defensive measures.
• Complex Attribution: Analysts must untangle a web of overlapping tactics and techniques, complicating remediation efforts.

Recommended Mitigation Strategies

Enhanced Network Monitoring

Monitor for lateral movements, especially targeting C2 servers or operator workstations. Deploy AI-based anomaly detection tools for proactive threat identification.

Threat Intelligence Collaboration

Share intelligence across organizations and borders to identify reused infrastructure and similar attack patterns.

Supply Chain Security

Conduct thorough security assessments of third-party vendors and partners to mitigate the risk of hijacked operations impacting your networks.

Robust Attribution Frameworks

Invest in frameworks like the MITRE ATT&CK matrix to accurately map adversary behaviors and distinguish between overlapping APT operations.

Malware Analysis and Patching

Ensure timely updates and patches for known vulnerabilities exploited by tools like Crimson RAT and newly discovered implants like Wainscot.

Conclusion: A Call for Vigilance

Turla’s latest campaign serves as a wake-up call for the global cybersecurity community. Their ability to hijack infrastructure, obscure their tracks, and leverage others' operations for their gain highlights the ever-evolving sophistication of nation-state actors.

As geopolitical tensions rise, APTs like Turla will continue to push the boundaries of cyber espionage. Staying one step ahead demands collective action—enhanced threat intelligence sharing, advanced attribution techniques, and a commitment to proactive defense.

In the shadowy corridors of cyberspace, Turla stands as a reminder of the power of stealth and strategy. To counter them, defenders must shine a light on their tactics and never underestimate the complexity of modern cyber warfare.