Full Report
Microsoft has found that Russian APT Secret Blizzard piggybacks on other cybercriminals' infr4asytructure to conduct cyber espionage
Analysis Summary
# Threat Actor: Secret Blizzard
## Attribution & Identity
**Attribution:** Center 16 of Russia’s Federal Security Service (FSB).
**Aliases and Known Groups:** Turla, Iron Hunter, Venomous Bear, WhiteBear Waterbug, Snake.
**Associations:** Has been observed leveraging the tools and infrastructure of at least six other threat actors.
## Activity Summary
Secret Blizzard is an Advanced Persistent Threat (APT) group active since at least 2004. Recent analysis highlights the group's extensive practice of "borrowing" tools and infrastructure from other threat actors, including cybercriminals and espionage groups, to conduct operations. This sophisticated method enhances their stealth and efficiency. Notably, since November 2022, they have been compromising the Command-and-Control (C2) infrastructure of the Pakistan-based espionage cluster tracked as Storm-0156 to deploy their own backdoors and stage data exfiltrated by Storm-0156. Historically, they have also accessed tools and infrastructure belonging to Iranian state-sponsored actor Hazel Sandstorm (aka OilRig, APT34) in 2017.
## Tactics, Techniques & Procedures
- Use of watering holes.
- Adversary-in-the-Middle (AiTM) attacks.
- Spear-phishing campaigns.
- Extensive piggybacking on other threat actors' infrastructure and utilizing their tools.
- Compirising C2 infrastructure of other groups (e.g., Storm-0156) to deploy own backdoors.
- Confiscating other groups' backdoors for their own use.
- DLL side-loading.
- Search order hijacking to execute malicious payloads.
- **Known Malware:** Uroburos, TinyTurla, TwoDash, Statuezy, MiniPocket (deployed on compromised C2s).
- **Observed Reused Malware/Backdoors:** CrimsonRAT, Wainscot (confiscated from Storm-0156). Reused Andromeda malware to deploy KopiLuwak and QuietCanary backdoors.
## Targeting
**Sectors:** Ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies.
**Geography:** Worldwide targeting.
**Victims:** High-value government and defense targets globally.
## Tools & Infrastructure
**Malware families used:** Uroburos, TinyTurla, TwoDash, Statuezy, MiniPocket, KopiLuwak, QuietCanary.
**Infrastructure:** Utilizes compromised C2 infrastructure of other groups, specifically observed leveraging Storm-0156's backdoors and VPS staging servers.
**Defanged URLs/IPs:** *(No specific URLs or IPs were provided in the document for defanging.)*
## Implications
Secret Blizzard's sophisticated tactic of leveraging infrastructure and tools from at least six other threat actors significantly increases the complexity of detecting and attributing their cyber espionage activities. Their ability to piggyback on established compromise chains allows them to operate more stealthily while simultaneously harvesting data exfiltrated by other groups, indicating a proactive, multi-layered espionage strategy.
## Mitigations
- Implement strict controls and monitoring around C2 infrastructure to detect unauthorized third-party backdoors or staged data.
- Utilize advanced endpoint detection and response (EDR) solutions capable of detecting techniques like DLL side-loading and search order hijacking.
- Regularly audit and verify the security posture of known trusted external partners whose infrastructure might be utilized by threat actors for operations or staging.