Russian-linked Turla caught using Pakistani APT infrastructure for espionage | CyberScoop<\/title> <meta name=\"description\" content=\"A Russian cyber-espionage group has been caught using networks associated with a Pakistani-based APT group.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/turla-infiltrates-pakistani-apt-networks-microsoft-lumen\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Russian-linked Turla caught using Pakistani APT infrastructure for espionage\"> <meta property=\"og:description\" content=\"A Russian cyber-espionage group has been caught using networks associated with a Pakistani-based APT group.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/turla-infiltrates-pakistani-apt-networks-microsoft-lumen\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-12-04T17:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-12-04T17:04:15+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1733250499g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82798\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82798\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fturla-infiltrates-pakistani-apt-networks-microsoft-lumen%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fturla-infiltrates-pakistani-apt-networks-microsoft-lumen%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82798 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/turla-infiltrates-pakistani-apt-networks-microsoft-lumen\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.621832358674\">\n<div class=\"single-article__header-content\" readability=\"34.422680412371\">\n<p> Both Microsoft and Lumen\u2019s BlackLotus Labs found Turla spying on Afghanistan and India via Pakistani infrastructure. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82798\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-2.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> The Russian flag flies over the country’s embassy in Washington, D.C., on Feb. 16, 2024. (Photo by Brendan SMIALOWSKI \/ AFP) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"46.337160120846\"><body readability=\"93.95838097416\"><\/p>\n<p>A Russian cyber-espionage group with ties to the country\u2019s Federal Security Service has been caught using networks associated with a Pakistani-based APT group. This operation marks the fourth recorded incident since 2019 where the Russian group, known commonly as Turla, has embedded themselves within another threat actor\u2019s operations.<\/p>\n<p>The reports, released Wednesday by Microsoft\u2019s Threat Intelligence Center and Lumen\u2019s Black Lotus Labs, finds that the Russian group, which researchers refer to as Secret Blizzard, gained initial access to one of the Pakistani group\u2019s command-and-control (C2) servers in December 2022. By mid-2023, they had extended control to numerous C2 nodes associated with the Pakistani actor. <\/p>\n<p>Referred to in the reports as Storm-0156, the Pakistani group has also been previously identified as \u201cSideCopy,\u201d \u201cTransparent Tribe\u201d and APT-36. The group is primarily known for its focus on espionage, targeting government and military infrastructures, particularly in India and Afghanistan.<\/p>\n<p>The operations carried out by Secret Blizzard since November 2022 reveal a coordinated effort to compromise Storm-0156\u2019s command-and-control infrastructure. Despite the unknown initial access mechanisms, Microsoft found that Secret Blizzard effectively used Storm-0156 backdoors to deploy their own backdoors, known as \u201cTwoDash\u201d and \u201cStatuezy,\u201d within Afghanistan\u2019s government networks, including its Ministry of Foreign Affairs and the General Directorate of Intelligence.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In India, Microsoft says Secret Blizzard focused on deploying tools on servers hosting data exfiltrated from Indian military networks. Observations suggest a singular instance where the TwoDash backdoor was directly deployed to a desktop in India, indicating possible differences in political directives or operational priorities. <\/p>\n<p>Black Lotus Labs found that by April 2023, the Russian group had used its backdoors to infiltrate the workstations of Pakistani operators, potentially obtaining a wealth of operational data, including insights into the Pakistani actor\u2019s tools, network credentials, and exfiltrated data.<\/p>\n<p>As operations progressed into mid-2024, Turla expanded its use of other malware families, namely Wasicot and CrimsonRAT, which they appropriated from the Pakistani intrusions. CrimsonRAT has notably been employed in past operations against Indian government institutions.<\/p>\n<p>Turla\u2019s work in this particular instance highlights an audacious \u2014 yet increasingly common \u2014 strategy employed by the group. Unlike other Russian espionage groups that use their own tooling to mask their identity, Turla uses the infrastructure of other cyber threat actors to indirectly gather intelligence. This status quo not only provides them with sensitive information but strategically obscures their involvement, as incident response efforts may mistakenly attribute the compromises to other groups.<\/p>\n<p>\u201cWe\u2019ve seen those highly-skilled espionage actors who can work through cutouts [and] will do that whenever they can,\u201d said Ryan English, an engineer with Black Lotus Labs. \u201cI think Secret Blizzard is patient enough and skilled enough to look for those opportunities. It certainly can benefit any group that has the ability to [use other groups\u2019 infrastructure], but in practice, it is harder than it looks.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Over the past three years, there have been <a href=\"https:\/\/www.welivesecurity.com\/2023\/03\/07\/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials\/\">numerous research reports<\/a> that <a href=\"https:\/\/www.uptycs.com\/blog\/threat-research-report-team\/cyber-espionage-in-india-decoding-apt-36-new-linux-malware\">tie APT-36<\/a> to the <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\">particular type of targets<\/a> highlighted in Microsoft\u2019s and Lumen\u2019s report. <\/p>\n<p>Both Lumen and Microsoft\u2019s Threat Intelligence Center are actively participating in ongoing efforts to track and mitigate Turla. Lumen has enforced preventative measures by severing traffic to and from known hostile IP addresses tied to the malicious activity of both Turla and APT-36. The research also contains indicators of compromise, which have been incorporated into its threat intelligence feeds.<\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/?s=Turla\">Turla<\/a> has been active for over a decade, targeting government, military, and research organizations, often focusing on entities in Europe and former Soviet states. The group is linked to a series of high-profile cyberattacks involving complex malware tools, such as \u201c<a href=\"https:\/\/cyberscoop.com\/fbi-disrupts-russian-cyber-espionage-tool\/\">Snake<\/a>,\u201d which it uses to conduct intelligence-gathering operations.<\/p>\n<p>You can read the full reports on <a href=\"https:\/\/blog.lumen.com\/snowblind-the-invisible-hand-of-secret-blizzard\/\">Lumen\u2019s<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/12\/04\/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage\/\">Microsoft\u2019s<\/a> respective websites. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8984771573604\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/turla-infiltrates-pakistani-apt-networks-microsoft-lumen\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Russian-linked Turla caught using Pakistani APT infrastructure for espionage |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3263,2707,78,302,117,3005,2952,625,256,3264,288,3265],"tags":[3266,2709,86,306,119,3022,2955,630,262,3267,294,3268],"class_list":["post-6491","post","type-post","status-publish","format-standard","hentry","category-afghanistan","category-black-lotus-labs","category-cybersecurity","category-geopolitics","category-government","category-india","category-lumen-technologies","category-microsoft","category-research","category-secret-blizzard","category-threats","category-turla","tag-afghanistan","tag-black-lotus-labs","tag-cybersecurity","tag-geopolitics","tag-government","tag-india","tag-lumen-technologies","tag-microsoft","tag-research","tag-secret-blizzard","tag-threats","tag-turla"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/afghanistan\/\" rel=\"category tag\">Afghanistan<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/black-lotus-labs\/\" rel=\"category tag\">Black Lotus Labs<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/india\/\" rel=\"category tag\">India<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lumen-technologies\/\" rel=\"category tag\">Lumen Technologies<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secret-blizzard\/\" rel=\"category tag\">Secret Blizzard<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/turla\/\" rel=\"category tag\">Turla<\/a>","tag_info":"Turla","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6491"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6491\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6491,"date":"2024-12-04T11:00:00","date_gmt":"2024-12-04T17:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82798"},"modified":"2024-12-04T11:00:00","modified_gmt":"2024-12-04T17:00:00","slug":"russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/04\/russian-linked-turla-caught-using-pakistani-apt-infrastructure-for-espionage\/","title":{"rendered":"Russian-linked Turla caught using Pakistani APT infrastructure for espionage"},"content":{"rendered":"