The notorious Russia-linked Advanced Persistent Threat (APT) group, known as, has been linked to a previously undisclosed operation that involved infiltrating the command-and-control (C2) servers of a Pakistan-based hacking collective called Storm-0156, allegedly conducting its own activities since 2022.
The latest instance of a nation-state adversary embedding itself within another group’s malicious operations to amplify its own objectives and obscure attribution was identified by Lumen Technologies’ Black Lotus Labs in December 2022.
In December 2022, Secret Blizzard reportedly infiltrated a Storm-0156 C2 (command and control) server, and by mid-2023 had successfully expanded its management to numerous other C2s linked to the same actor, according to a report shared with The Hacker Information.
Discovered exploiting pre-existing vulnerabilities, Turla was found to have capitalized on Storm-0156’s earlier intrusions to distribute custom malware payloads, namely Statuezy, across select networks affiliated with various Afghan government entities. TwoDash is a custom-designed downloader, while Statuezy is a Trojan that monitors and logs data stored on the Windows clipboard.
The Microsoft Threat Intelligence team, which also released findings on the campaign, revealed that Turla leveraged infrastructure tied to Storm-0156, overlapping with exercise clusters designated as and.
According to a coordinated report released by Microsoft, “Secret command-and-control (C2) visitors emanated from Storm-0156 infrastructure, which was used in conjunction with other systems exploited by Storm-0156 to harvest sensitive information gathered during campaigns in Afghanistan and India.”
Turla, also known as Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Summit, Uroburos, Venomous Bear, and Waterbug, is believed to have ties to the Russian Federal Security Service (FSB).
Operating actively for nearly three decades, the notorious cybercriminal group leverages a diverse arsenal of tactics, including phishing, social engineering, malware distribution, money mule recruitment, and ransomware attacks – all orchestrated by its leader, known as BigBoss. The platform primarily focuses on providing services to authorities, diplomatic entities, and naval organizations.
The group has a notable history of commandeering other threat actors’ infrastructure to serve its own purposes. In October 2019, the U.Ok. and U.S. Governments exploited vulnerabilities in the Iranian risk actor’s systems to further their own intelligence goals, leveraging Turla’s existing foothold.
“Turla exploited and leveraged the command-and-control infrastructure of Iranian advanced persistent threats (APTs) to deliver its custom malware tools directly to victims, exhibiting a high degree of sophistication and coordination.” The Nationwide Cyber Safety Centre (NCSC) has gained widespread recognition over time. Microsoft has subsequently acknowledged the Iranian hacking group.
In January 2023, security researchers at Google-owned Mandiant revealed that the Turla group had leveraged the attack infrastructure of the well-known commodity malware Andromeda to deliver its own custom-built reconnaissance and backdoor tools to targets in Ukraine.
In April 2023, Kaspersky discovered Turla’s third instance of repurposing attack software, specifically the Kazakh-backed actor Storm-0473’s Tomiris backdoor, which was deployed in September 2022 to deliver the QUIETCANARY payload.
Microsoft famously stated: “The frequency with which Secret Blizzard co-opts or commandeers the infrastructure or instruments of various risk actors, indicating it as a deliberate component of their tactics and strategies.”
A sophisticated cyberattack has been uncovered by Black Lotus Labs and Microsoft, revealing a threat actor leveraging Storm-0156 command and control (C2) servers to compromise Afghan government entities with backdoors, whereas in India, the attackers focused C2 servers hosting exfiltrated data from Indian military and defense-related organizations.
The compromise of Storm-0156 C2 servers has further empowered Turla to hijack existing backdoors, including an unrecorded Golang implant known as Wainscot, in addition to its prior capabilities. Black Lotus Labs has informed The Hacker Information that the initial server compromise remains unclear.
In particular, Redmond noted that Turla employed a Crimson RAT infection previously set up by Storm-0156 in March 2024 to gain and execute TwoDash in August 2024. Deployed in victim networks alongside TwoDash is an additional customised downloader, MiniPocket, which connects to a hardcoded IP address and port using TCP to retrieve and execute a second-stage binary.
Attackers backed by the Kremlin made a lateral move to the Storm-0156 operator’s workstation, exploiting a trusted relationship to gather crucial intel on their tools, command-and-control credentials, and pilfered data from previous operations – a significant escalation in the campaign.
Microsoft stated that this feature allows Secret Blizzard to collect intelligence on the entities in South Asia that are under scrutiny by Storm-0156, without directly targeting those organizations.
By leveraging the efforts of others, Secret Blizzard is able to establish a strong presence on networks of curiosity with relatively little exertion. Notwithstanding the initial inroads made, the data collected may not entirely correspond to Secret Blizzard’s specified collection criteria.
