Full Report
Executive Summary Lumen’s Black Lotus Labs has uncovered a longstanding campaign orchestrated by the Russian-based threat actor known as “Secret Blizzard” (also referred to as Turla). This group has successfully infiltrated 33 separate command-and-control (C2) nodes used by Pakistani-based actor, […] The post Snowblind: The Invisible Hand of Secret Blizzard appeared first on Lumen Blog.
Analysis Summary
# Threat Actor: Secret Blizzard
## Attribution & Identity
Attributed to a Russian-based threat actor.
Known Aliases: Turla.
Associated Groups: Secret Blizzard has a history of exploiting the Command-and-Control (C2) infrastructure of other threat actors. In this campaign, they leveraged access initially gained by the Pakistani-based actor "Storm-0156." Storm-0156 is publicly associated with activity clusters "SideCopy" and "Transparent Tribe."
## Activity Summary
Secret Blizzard orchestrated a longstanding espionage campaign spanning the last two years, focusing on leveraging the access and infrastructure of the Storm-0156 group.
* **Initial Infiltration (Dec 2022):** Secret Blizzard gained initial access to a Storm-0156 C2 server.
* **Infrastructure Takeover (Mid-2023):** Expanded control to multiple Storm-0156 C2 nodes.
* **Targeting (Post-2022):** Deployed their own malware into networks linked to entities within the Afghan government, utilizing Storm-0156's pre-existing access.
* **Operator Compromise (April 2023):** Advanced operations by moving into the workstations of Pakistani-based Storm-0156 operators.
* **Data Acquisition:** Stole tooling, credentials (for C2s and targets), and previously exfiltrated data belonging to Storm-0156 from their workstations.
* **Tool Appropriation (Mid-2024):** Appropriated malware families, specifically **Waiscot** and **CrimsonRAT**, from the compromised Pakistani workstations and used them to gather data from prior deployments.
## Tactics, Techniques & Procedures
* **C2 Hijacking/Exploitation:** Audaciously exploiting other threat actors’ C2 servers for espionage and remote data acquisition, avoiding the exposure of their own dedicated infrastructure.
* **Trust Exploitation:** Moving from an exploited C2 node directly into the workstations of the original threat actor's operators to gain deeper access.
* **Data Harvesting:** Acquiring data (including credentials and previously exfiltrated files) that the original threat actor had collected from their victims.
* **Lateral Movement:** Using compromised C2s to deploy the actor's own agents into victim networks that were initially compromised by the other group.
* **Tool Repurposing:** Stealing and utilizing malware tooling (Waiscot, CrimsonRAT) discovered on compromised operator endpoints.
* **Evasion:** This strategy helps delay or avoid attribution.
## Targeting
* **Sectors:** Government entities.
* **Geography:** Networks linked to the **Afghan government**. Actors operating out of **Pakistan** (Storm-0156 operators) were also compromised. CrimsonRAT usage was previously noted against government and military targets in **India**.
* **Victims:** Various entities within the Afghan government networks.
## Tools & Infrastructure
* **Malware Families Used:**
* TwoDash
* Statuezy
* Waiscot (Appropriated)
* CrimsonRAT (Appropriated - previously found targeting government/military targets in India)
* **Infrastructure:** C2 nodes belonging to the threat actor "Storm-0156."
## Implications
Secret Blizzard exhibits a highly opportunistic and patient approach, systematically targeting and compromising other established threat actors to achieve espionage objectives. This behavior allows them to leapfrog initial access hurdles and acquire high-value data (including credentials and tooling) from third parties, significantly complicating attribution and increasing the depth of their intelligence gathering in the Middle East region. Their willingness to co-opt malware from other campaigns (like CrimsonRAT) suggests flexibility in adapting tooling based on opportunity.
## Mitigations
* Implement a well-tuned Endpoint Detection and Response (EDR) solution that routinely receives signature updates.
* Employ centralized monitoring to detect signs of lateral movement within the network.
* Monitor for large data transfers leaving the network, even if the destination IP appears geographically local.
* Consider comprehensive Secure Access Service Edge (SASE) or comparable solutions to bolster security posture and enable robust detection of network communications.
* Treat compromises associated with nation-state malware families and cybercrime malware families as equally concerning, given Secret Blizzard's history of co-opting both.