Source: ArcadeImages via Alamy Stock Photo
Hackers operating on behalf of Russian state intelligence have breached hackers operating out of Pakistan, latching onto their espionage campaigns to steal information from government, military, and defense targets in Afghanistan and India.
In December 2022, Secret Blizzard (aka Turla) — which the Cybersecurity and Infrastructure Security Agency (CISA) has tied to Russia's Federal Security Service (FSB) — gained access to a server run by another advanced persistent threat (APT), Storm-0156 (aka Transparent Tribe, SideCopy, APT36). It soon expanded into 33 separate command-and-control (C2) nodes operated by Storm-0156 and, in April 2023, breached individual workstations owned by its fellow hackers.
Since then, researchers from Microsoft and Black Lotus Labs say, Secret Blizzard has been able to leech off of Storm-0156's cyberattacks, accessing sensitive information from various Afghani government agencies and Indian military and defense targets.
Spy vs. Spy
Ironically, threat actors — even those working for nation-states — might make easy pickings for other threat actors. As Ryan English, researcher at Black Lotus Labs explains, they don't often work hard at defending their own infrastructure. "If you spend a lot of time making your network a fortress, you're spending less time doing offensive stuff. At the end of the day, it's a time and a cost issue," he says.
Even if cyberattackers wanted to improve their cybersecurity, they'd face unique challenges in doing so. This much was demonstrated just recently, when a threat actor tried experimenting with Palo Alto's Cortex extended detection and response (XDR). By installing Cortex, they inadvertently allowed Palo Alto researchers a window into their operations.
It isn't clear how Secret Blizzard gained initial access into that first Storm-0156 server, but "our thinking is that they were identifying [Storm-0156] C2 nodes from public reporting. So their offensive team was working almost as a threat researcher would — spending time looking at public reports, looking for the possibility that they could get into somebody else's stuff," English says.
However, he adds, "They just weren't satisfied with what was available publicly. They probably did some reconnaissance. We think that they used some remote desktop pivoting to leverage their way into the target's other [infrastructure]. That's not an easy task."
What Secret Blizzard Stole From Storm-0156
With its C2 nodes and workstations in hand, Secret Blizzard had extensive visibility into — and control over — Storm-0156's tooling, its tactics, techniques, and procedures (TTPs), and the data it had already stolen from its victims. It used all of this to powerful and creative effect.
In some cases, the Russians used Storm-0156's servers to drop backdoors onto systems belonging to its existing victims. This allowed them to steal sensitive information from a variety of Afghan government agencies, including its Ministry of Foreign Affairs, General Directorate of Intelligence (GDI), and foreign consulates.
Against targets from India, though, Secret Blizzard took a different tack. In only one instance did it deploy its backdoor, "TwoDash," against an entity within India. Instead, it deployed a backdoor against Storm-0156 itself, siphoning off the sensitive records the Pakistanis had already stolen from targets in India's military and defense. Microsoft speculated that "the difference in Secret Blizzard’s approach in Afghanistan and India could reflect political considerations within the Russian leadership, differing geographical areas of responsibility within the FSB, or a collection gap on Microsoft Threat Intelligence's part."
Unprecedented Security Through Obscurity
Threat actors collaborate frequently, but researchers haven't identified any other groups that have hacked one another for the sake of sharing access to targets in the way Secret Blizzard has.
It's not the first time Secret Blizzard has done it, either. First in 2017, the group accessed tools and infrastructure belonging to Iran's APT 34 (aka Hazel Sandstorm, OilRig, Crambus). In an upcoming blog post, Microsoft will disclose details of another Secret Blizzard campaign in Ukraine, during which it used bots and a backdoor belonging to two other threat actors.
And then there was the case which broke last year. In January, Mandiant reported on a campaign it tied to Secret Blizzard. In April, Kaspersky alleged that the activity was, instead, carried out by the Kazakhstan-based APT Tomiris (aka Storm-0473). It appears now that Mandiant's guess was correct: Secret Blizzard was behind it, but confused researchers by using Tomiris' backdoor. Dark Reading has reached out to Kaspersky following this latest development.
That Tomiris smokescreen speaks to the benefits of Secret Blizzard's approach. By hacking just one APT, of course, it can access infrastructure and sensitive data belonging to all of that APT's victims. But beyond efficiency, it can also use that access to mask its activity, passing it off as if it originated from another threat actor.
English recalls how, last month, "I was at CyberWarCon, and a couple of people there were having a conversation, saying: 'You know, we haven't heard from Turla lately.' And I started laughing."