Secret Blizzard, a Russian nation-state actor, has leveraged the infrastructure and tools of at least six other threat actors, including the Pakistan-based Storm-0156, to conduct espionage operations, which enables them to install backdoors, collect intelligence, and compromise target devices in regions like South Asia and Ukraine.
By making use of the data and infrastructure that has been stolen from other actors, Secret Blizzard is able to effectively expand its attack surface while simultaneously avoiding detection.
The Russian FSB’s Center 16, known as Secret Blizzard, targets global diplomatic and defense entities by gaining persistent access through various methods, including leveraging compromised infrastructure from other threat actors like Hazel Sandstorm and Storm-0473.
Their primary goal is intelligence collection, often focusing on politically sensitive information and advanced research, as it’s tactics involve exploiting vulnerabilities, deploying backdoors, and exfiltrating sensitive data, demonstrating their advanced capabilities and persistent threat to global security.
Secret Blizzard, a threat actor, compromised Storm-0156’s C2 infrastructure to deploy their own backdoors by leveraging Storm-0156’s C2 tools like Arsenal to establish a persistent presence and exfiltrate data.
The backdoors of Storm-0156, such as CrimsonRAT and Wainscot, were also under the control of Secret Blizzard, which allowed them to access and control victim devices.
By exploiting vulnerabilities like DLL-sideloading, they deployed their payloads, including TwoDash and MiniPocket, to expand their attack surface and compromise additional targets, which highlights the evolving threat landscape and the importance of robust security measures to protect against advanced cyber threats.
The Storm-0156 infrastructure has been compromised with multiple backdoors, as a TinyTurla variant, similar to the 2021 Cisco Talos report, has been installed via a batch file, disguising itself as a Windows service.
A native binary loader and a.NET application for device surveying and task execution have been deployed as part of TwoDash, a custom downloader that has been deployed.
Statuezy, a custom trojan, monitors and logs clipboard data, exfiltrating it via a separate malware family, while MiniPocket, a small custom downloader, retrieves and executes second-stage binaries from a hardcoded IP address.
According to Microsoft, Secret Blizzard, a Russian-backed threat actor, has leveraged the Storm-0156 infrastructure to deploy backdoors like Wainscot and CrimsonRAT to compromise targets in Afghanistan and India.
The Ministry of Foreign Affairs and the General Directorate of Intelligence (GDI) were among the government agencies in Afghanistan that were directly targeted by these backdoors.
In India, they primarily targeted military and defense-related institutions, often deploying their own backdoors or using Storm-0156 servers to exfiltrate data, which suggests a strategic difference in their approach to these two countries, potentially influenced by geopolitical factors or resource allocation.
It strategically leverages other threat actors’ infrastructure and tools to gain unauthorized access to target networks, which minimizes effort but risks misaligned information gathering and potential exposure.
By exploiting existing footholds, Secret Blizzard can rapidly establish a presence, but it relies on the initial actor’s operational security, which may compromise their own activities if compromised.
