Full Report
In a campaign that began two years ago, the Moscow-backed hacker group Secret Blizzard, also known as Turla, infiltrated infrastructure used by the Pakistan-based cyber-espionage groupStorm-0156 to spy on victims of political interest to the Kremlin.
Analysis Summary
# Threat Actor: Secret Blizzard (Turla)
## Attribution & Identity
* **Primary Actor:** Secret Blizzard
* **Attribution:** Russian state-sponsored group, previously linked to Russia’s Federal Security Service (FSB).
* **Known Aliases/Associations:** Turla. Infiltrated and utilized infrastructure of Pakistani threat actor Storm-0156. Previously embedded in operations of Iranian group OilRig and a Kazakhstan-based threat actor.
## Activity Summary
* Began a campaign approximately two years ago (around 2022) by infiltrating the infrastructure of the Pakistan-based cyber-espionage group Storm-0156 for espionage targeting.
* The primary objective of this specific campaign was to spy on victims politically relevant to the Kremlin, specifically using the compromised Pakistani infrastructure to launch attacks.
* **Historical Activities:** Since 2017, researchers have identified at least four instances where Secret Blizzard embedded itself within another threat actor’s operations as a recurring tactic.
* **Objective:** Known for stealing politically significant information, particularly advanced research that might influence international political issues. They collect and exfiltrate sensitive materials, including documents, PDFs, and email content.
## Tactics, Techniques & Procedures
* **Infrastructure Abuse/Supply Chain Compromise:** Frequently embeds itself in or exploits the infrastructure of other threat actors (e.g., Storm-0156, OilRig) to maintain low visibility and aid attribution obfuscation.
* **Remote Access to Stolen Data:** Uses compromised infrastructure to remotely access sensitive files previously stolen by the host groups without deploying their own tools onto those specific networks.
* **Malware Deployment via Proxy:** Deployed its own malware (TwoDash, Statuezy) when attacking Afghan government targets using the inherited access.
* **Tool Appropriation:** Targeted local institutions in India by deploying tools appropriated from the Pakistani hackers (Waiscot, CrimsonRAT), avoiding the deployment of native Secret Blizzard malware.
* **MITRE ATT&CK IDs:** Not specified in the provided text.
## Targeting
* **Sectors:** Government and intelligence agencies, military and defense-related institutions, ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies.
* **Geography:** South Asia; specifically targeted government and intelligence agencies in **Afghanistan**, and military/defense institutions in **India**.
* **Victims:** Government and intelligence agencies in Afghanistan; Military and defense-related institutions in India.
## Tools & Infrastructure
* **Malware Families Used (Secret Blizzard's):** TwoDash, Statuezy.
* **Malware Families Used (Appropriated from Storm-0156):** Waiscot, CrimsonRAT.
* **Infrastructure:** Exploited infrastructure belonging to Storm-0156 based in Pakistan.
## Implications
* Secret Blizzard prioritizes espionage targeting politically sensitive information.
* The group successfully masked its activities and complicated attribution by leveraging the infrastructure of another nation-state actor (Storm-0156).
* This tactic offers significant advantages by providing access to previously exfiltrated data and lowering the operational overhead required to launch attacks. Analysts expect this strategy to continue, especially as Western scrutiny on Russian cyber activities increases.
## Mitigations
* Organizations should monitor network traffic and activity originating from historically compromised third-party infrastructure, as it may be a staging ground for established state-sponsored groups like Secret Blizzard.
* Implementing robust defenses against known or commonly used tools (Waiscot, CrimsonRAT), recognizing they may be repurposed or deployed by different threat actors.
* Organizations should rigorously vet and monitor data access, even if that data was exfiltrated by another group, as Secret Blizzard may retroactively exploit it via compromised infrastructure.