Secret Blizzard, a Russian threat actor, has successfully infiltrated 33 command-and-control (C2) servers that belong to the Pakistani group Storm-0156. This breach has granted Secret Blizzard access to networks associated with Afghan government entities and Pakistani operators, showcasing the group’s sophisticated tactics in exploiting vulnerabilities.
The malicious actors from Secret Blizzard have implemented their own malware, TwoDash and Statuezy, while also utilizing the malware tools of Storm-0156, such as Waiscot and CrimsonRAT, to gather intelligence on targeted networks. By leveraging the infrastructure of other threat actors, Secret Blizzard has demonstrated an advanced level of cyber warfare abilities, enabling them to conduct stealthy and persistent cyberattacks.
One of the key strategies employed by Secret Blizzard is compromising C2 servers and workstations to illegally gain access to sensitive data, allowing them to expand their operational reach while evading detection and attribution mechanisms. This capability empowers them to target critical infrastructure and government networks, as they exploit trust relationships and utilize stolen tools to navigate the evolving threat landscape.
Storm-0156, on the other hand, a Pakistani nation-state actor, has been observed utilizing Hak5 hardware-based tools to compromise targets in India and Afghanistan. These tools are deployed through physical access, bypassing traditional security measures and enabling data exfiltration and script execution. The adaptability and persistent focus of Storm-0156 on compromising critical infrastructure have been highlighted in a campaign that started in late 2022 and extended into early 2023, targeting government organizations like the Ministry of Foreign Affairs and defense entities.
By leveraging compromised Storm-0156 C2 infrastructure, Secret Blizzard was able to infiltrate Afghan government networks, exploiting vulnerabilities and deploying their custom malware, “Two-Dash,” to gain persistent access to critical systems. Throughout their operations from late 2022 to mid-2023, extensive data exfiltration and potential espionage activities targeting sensitive government information were conducted.
According to reports from Lumen, Secret Blizzard breached Storm-0156’s infrastructure to access sensitive information and potentially compromise additional networks. While they did not deploy their own agents, it is likely that existing infrastructure was exploited to gather intelligence and execute attacks, emphasizing the growing need for robust cybersecurity measures to protect critical infrastructure.
The unique strategy of compromising other threat actors’ C2 servers to conceal operations and shift blame, exhibited by the Russian FSB-linked threat actor, poses a significant threat due to sophisticated techniques and a focus on data exfiltration. Organizations are advised to implement robust security measures, such as a well-tuned EDR solution, monitoring for large data transfers, and considering SASE solutions to mitigate these risks.
In the face of these advanced threats, the security community must remain vigilant and prioritize sharing threat intelligence to better protect against evolving cyber threats. By collectively addressing these challenges, organizations can strengthen their defenses and safeguard against malicious actors seeking to exploit vulnerabilities in critical infrastructure.