Russian Hacker Secret Blizzard Hijack C2 Infrastructure in New Espionage Campaign

Lumen’s Black Lotus Labs has uncovered an elaborate campaign by the Russian threat actor Secret Blizzard (also known as Turla). This operation demonstrates their signature tradecraft of hijacking other groups’ command-and-control (C2) infrastructure, allowing them to gather sensitive intelligence while masking their own involvement.

Since 2019, Secret Blizzard has refined their strategy of infiltrating other threat actors’ operations. Their latest campaign, spanning two years, reveals their intrusion into 33 C2 nodes operated by the Pakistani-based group Storm-0156. The report highlights, “This latest campaign… is the fourth recorded case of Secret Blizzard embedding themselves in another group’s operations since 2019.”

Using Storm-0156’s infrastructure as a springboard, Secret Blizzard not only deployed their malware, including TwoDash and Statuezy, but also exploited this access to collect intelligence from networks compromised by Storm-0156. In April 2023, they escalated their operations by infiltrating the workstations of Storm-0156’s operators, gaining unprecedented access to tools, credentials, and exfiltrated data.

Secret Blizzard’s campaign leveraged a mix of custom and appropriated malware. For example:

• TwoDash: Used to infiltrate Afghan government networks and maintain persistent access.
• CrimsonRAT: Previously employed by Storm-0156 against Indian targets, now repurposed by Secret Blizzard to gather intelligence from Indian government and military networks

This dual-use approach illustrates Secret Blizzard’s tactical advantage: appropriating existing malware to evade detection and attribution.

Storm-0156, also known as SideCopy and Transparent Tribe, has a history of targeting regional governments, particularly in Afghanistan and India. Despite their experience, the group’s infrastructure became a liability. Secret Blizzard’s infiltration was so complete that they moved laterally from Storm-0156’s C2 nodes to their operators’ workstations. This allowed them to exploit additional networks, as the report explains: “They manipulated the trust relationship… to move into the Pakistani computer network operators’ workstations, pilfering data from those nodes.”

Secret Blizzard’s hallmark tactic of hijacking other groups’ C2 nodes allows them to conduct operations with minimal risk of exposure. By utilizing pre-established infrastructure, they avoid deploying their own tools directly, reducing their footprint and complicating attribution. The report emphasizes, “Operations such as these avoid or delay attribution.”

Related Posts:

• Patch Now: Forest Blizzard Targets Exchange Servers with Outlook Zero-Day Exploit
• Blizzard Games exisits critical flaw that conduct DNS Rebinding attack
• Midnight Blizzard Targets 100+ Organizations in RDP Phishing Attack
• Midnight Blizzard Accesses Microsoft Internal Systems and Source Code
• Russian Hackers Midnight Blizzard Compromise Microsoft’s Email Data