Russian state intelligence hackers have successfully breached the operations of hackers based in Pakistan, exploiting their espionage activities to gain access to sensitive information from government, military, and defense entities in Afghanistan and India. The group known as Secret Blizzard, also referred to as Turla and allegedly tied to Russia’s Federal Security Service (FSB) by the Cybersecurity and Infrastructure Security Agency (CISA), managed to infiltrate a server utilized by another advanced persistent threat (APT) group, Storm-0156, which is associated with Transparent Tribe, SideCopy, and APT36. This incursion led to the compromise of 33 separate command-and-control nodes controlled by Storm-0156, culminating in the penetration of individual workstations owned by the Pakistani hackers in April 2023.
Following these incidents, research conducted by Microsoft and Black Lotus Labs revealed that Secret Blizzard capitalized on Storm-0156’s cyber operations to extract confidential data from various Afghan government agencies as well as military and defense targets in India. Despite the relative ease with which state-sponsored threat actors can exploit vulnerabilities in each other’s systems, security researcher Ryan English from Black Lotus Labs pointed out that many such hackers do not prioritize safeguarding their own infrastructure, focusing instead on offensive activities. This lack of emphasis on defensive measures could potentially expose them to counterattacks from rival cyber groups or security researchers monitoring their activities.
The methods employed by Secret Blizzard to infiltrate Storm-0156’s infrastructure remain unclear, but English suggested that the Russian hackers likely identified vulnerabilities in Storm-0156’s command-and-control nodes based on public reports and then leveraged remote desktop pivoting to access additional systems within the network. By gaining control over Storm-0156’s command-and-control nodes and workstations, Secret Blizzard acquired valuable insights into the Pakistani group’s tools, techniques, and procedures, which enabled them to strategically target Afghan government agencies such as the Ministry of Foreign Affairs and the General Directorate of Intelligence (GDI), along with foreign consulates. In contrast, their approach towards Indian entities involved deploying backdoors to intercept data previously pilfered by Storm-0156 from India’s military and defense sectors. This divergent strategy raised speculation regarding potential geopolitical factors influencing Secret Blizzard’s operational decisions within the context of Russian leadership and intelligence responsibilities.
Notably, the collaboration observed between threat actors in this scenario deviates from traditional cyber norms, as instances of hackers hacking each other to facilitate shared access to targeted organizations are relatively rare. Secret Blizzard’s track record of exploiting other APT groups for mutual gain extends beyond its recent incursion into Storm-0156’s infrastructure, with past incidents involving breaches of Iran’s APT34 and collaborative efforts with Ukrainian threat actors. The group’s utilization of bots and backdoors from distinct threat actors to obfuscate their activities further highlights their operational sophistication and adaptability in navigating the cyber landscape.
By harnessing the access obtained through hacking other APT groups, Secret Blizzard not only enhances its operational efficiency but also camouflages its malicious activities by attributing them to different threat actors. This strategic maneuvering enables the group to conceal its true involvement in cyber campaigns, thereby confounding security researchers and complicating attribution efforts. As the cybersecurity landscape continues to evolve with escalating threats posed by state-sponsored hackers, the incidents involving Secret Blizzard underscore the significance of vigilance and collaborative intelligence-sharing among global security stakeholders to mitigate the impact of such sophisticated cyber operations.