Indian and Afghan organizations have been targeted by Russian state-backed advanced persistent threat operation Turla, also known as Pensive Ursa, Secret Blizzard, and Iron Hunter, through the infiltration of Pakistani hacking gang Storm-0156's command-and-control servers since late 2022, according to The Hacker News.
After achieving initial access to a Storm-0156 C2 server in December 2022, Turla sought to take over more of the Pakistani threat operation's C2s to compromise Afghan government organizations' networks with the TwoDash downloader and Statuezy trojan, a report from Lumen Technologies' Black Lotus Labs showed. A separate report from Microsoft revealed that Turla had leveraged the C2 servers to appropriate Storm-0156's previous Crimson RAT infections to facilitate the execution of the TwoDash and MiniPocket downloaders. "Taking advantage of the campaigns of others allows Secret Blizzard to establish footholds on networks of interest with relatively minimal effort. However, because these initial footholds are established on another threat actor's targets of interest, the information obtained through this technique may not align entirely with Secret Blizzard's collection priorities," said Microsoft.
