In a bold display of cyberespionage, a prolific Russian hacking group has been spotted infiltrating and hijacking the systems of a rival Pakistani cyber collective.
The revelations, detailed in a report released Wednesday by Lumen’s Black Lotus Labs, highlight a campaign spanning more than two years carried out by Turla—also known as Secret Blizzard, as named by Lumen—a well-known Russia-aligned hacker group likely linked to Moscow’s Federal Security Service, or FSB.
The strategy allowed Secret Blizzard to steal information, deploy their own malware, and use the rival Pakistani malware for intelligence gathering—all while evading detection. It marks the fourth recorded instance of the group embedding themselves in another cyber gang’s operations since 2019, according to Lumen.
The report states that Secret Blizzard began infiltrating the Pakistan-aligned entity, known as Storm-0156, in late 2022. The Russian operatives breached servers managing the Pakistani group’s malware infections, using them as springboards to target Afghan and government organizations in 2023.
Later, they infiltrated Storm-0156’s systems, gaining access to workstations operated by the Pakistani hackers. This access provided a treasure trove of data, including credentials, previously exfiltrated information, and new malware tools used to target Indian networks.
Turla’s methods demonstrate a more calculated approach to espionage compared to those of other groups. Instead of building their own infrastructure and risking detection, they co-opt systems already compromised by other collectives.
But its targets are equally revealing. The group’s focus aligns closely with Russian geopolitical interests, including Afghanistan’s government and military, as well as government networks in India. By mid-2024, it was selectively targeting malware nodes previously used by Storm-0156. These nodes—infected devices that serve as access points for attackers—had been linked to campaigns against Indian government and military entities.
Other private-sector researchers have documented the Russian cyber gang staging infiltrations of Ukrainian entities following Russia’s 2022 invasion of Ukraine.
Last year, U.S. law enforcement officials took down a major espionage malware campaign deployed by Turla, which was used to steal sensitive materials from hundreds of computer systems across nearly 50 countries.
In collaboration with Microsoft’s Threat Intelligence Center, Lumen blocked traffic to infrastructure linked to both Secret Blizzard and Storm-0156. Indicators of compromise from the campaign have been shared with the cybersecurity community to support ongoing defense efforts, according to Lumen.
“Compromising the command-and-control servers of other threat actors not only helps them gather the information they seek but also shifts the blame to other groups if incident response efforts reveal exploitation on these networks,” the report states. “We have documented this case study because we believe this approach will likely persist, especially as Western nations, including the United States and European allies, continue to uncover and condemn Russian activities in cyberspace.”
Related article: Russian hackers targeted Mongolian government with techniques akin to commercial spyware providers, Google says
Kremlin-backed cyber operatives likely targeted a slew of Mongolian government websites using exploits that mirrored those deployed by commercial spyware vendors like NSO Group and Intellexa, according to a Thursday report from Google’s Threat Analysis Group.
Between November 2023 and July 2024, the Russian government-affiliated hackers—dubbed APT29—used “watering hole” cyberattacks that target victims by surreptitiously lacing websites they often visit with malicious code, according to TAG, which assessed with “moderate confidence” that the APT29 group carried out the intrusions.
The attack methods leveraged Apple iOS and Google Chrome n-day exploits, which are vulnerabilities known to developers but have not yet been fixed. “In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,” the TAG blog post says. READ MORE
