Focus Mode
Threat Research

Turla Cyber Campaign Targeting Pakistan’s Critical Infrastructure – SOCRadar® Cyber Intelligence Inc.

Securonix
Turla Cyber Campaign Targeting Pakistan’s Critical Infrastructure – SOCRadar® Cyber Intelligence Inc.
The Turla group, a state-sponsored cyber threat actor, has launched a sophisticated campaign targeting Pakistan’s critical infrastructure, including energy, telecommunications, and government networks. Using advanced techniques like phishing and malware, Turla exploits vulnerabilities to gain access and maintain persistence. This campaign highlights the importance of robust cybersecurity measures to combat complex cyber threats. Affected: Pakistan’s critical infrastructure

Keypoints :

  • Turla group is a notorious state-sponsored cyber threat actor.
  • The latest campaign targets Pakistan’s critical infrastructure.
  • Focus areas include energy, telecommunications, and government networks.
  • Methods used include phishing and malware deployment.
  • Exploited vulnerabilities include CVE-2022-38028.
  • Techniques include DLL hijacking and multi-layered encryption.
  • Periodic connections to Command and Control (C2) servers are utilized.
  • Secret Blizzard, overlapping with Turla, compromised Storm-0156’s infrastructure.
  • Use of third-party infrastructure complicates attribution efforts.
  • SOCRadar’s Threat Hunting module offers insights for organizations.

MITRE Techniques :

  • T1189 – Drive-by Compromise: Use browser sandboxes and modern security features to prevent drive-by exploitation.
  • T1105 – Ingress Tool Transfer: Detect malicious content through network monitoring and behavioral analytics.
  • T1036 – Masquerading: Prevent masquerading with antivirus tools and file signature checks.
  • T1566 – Phishing: Educate users and implement email authentication mechanisms.
  • T1059 – Command and Scripting Interpreter: Monitor and block suspicious commands, modules, or functionalities.
  • T1102 – Web Service: Enforce secure traffic policies using web proxies to detect unsafe data flow.

Indicator of Compromise :

  • [IP Address] 130.185.119[.]198
  • [IP Address] 94.177.198[.]94
  • [IP Address] 162.213.195[.]129
  • [Domain] connectotels[.]net
  • [Domain] hostelhotels[.]net
  • Check the article for all found IoCs.

Full Research: https://socradar.io/turla-cyber-campaign-pakistans-critical-infrastructure/

Tags: EMAIL, CRITICAL INFRASTRUCTURE, MONITOR, PHISHING, GOVERNMENT, EXPLOIT, THREAT HUNTING, HUNTING