Summary:
Lumen’s Black Lotus Labs has revealed a prolonged cyber espionage campaign by the Russian threat actor “Secret Blizzard,” which infiltrated the command-and-control (C2) nodes of the Pakistani actor “Storm-0156.” Over two years, Secret Blizzard leveraged this access to deploy their malware into Afghan government networks and gather sensitive data. The report highlights the group’s strategic exploitation of other actors’ infrastructures to enhance their operations while minimizing detection risks.
#CyberEspionage #ThreatActor #DataExfiltration
Lumen’s Black Lotus Labs has revealed a prolonged cyber espionage campaign by the Russian threat actor “Secret Blizzard,” which infiltrated the command-and-control (C2) nodes of the Pakistani actor “Storm-0156.” Over two years, Secret Blizzard leveraged this access to deploy their malware into Afghan government networks and gather sensitive data. The report highlights the group’s strategic exploitation of other actors’ infrastructures to enhance their operations while minimizing detection risks.
#CyberEspionage #ThreatActor #DataExfiltration
Keypoints:
Secret Blizzard has infiltrated 33 C2 nodes used by Storm-0156, a Pakistani threat actor.
The campaign has been ongoing for two years and is the fourth instance of Secret Blizzard embedding in another group’s operations.
Secret Blizzard deployed malware such as “TwoDash” and “Statuezy” into networks linked to the Afghan government.
In 2024, Secret Blizzard expanded their malware arsenal to include “Waiscot” and “CrimsonRAT.”
They exploited trust relationships to gather data and deploy their tools within compromised networks.
Secret Blizzard’s operations highlight a unique strategy of using other threat actors’ C2 servers to avoid detection and attribution.
Monitoring efforts by Lumen and MSTIC have led to blocking traffic related to Secret Blizzard and Storm-0156.
MITRE Techniques:
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Exploitation of Remote Services (T1210): Leverages Remote Desktop Protocol (RDP) for lateral movement within networks.
Data Encrypted (T1041): Uses encryption to exfiltrate sensitive data while avoiding detection.
Credential Dumping (T1003): Collects credentials from compromised systems to gain further access.
Remote Access Tools (T1219): Deploys custom remote access tools to maintain persistent access to networks.
IoC:
[IP Address] 185.217.125.195
[IP Address] 209.126.6.227
[IP Address] 209.126.81.42
[IP Address] 146.70.158.90
[IP Address] 162.213.195.129
[IP Address] 173.212.252.2
[IP Address] 185.213.27.94
[IP Address] 167.86.113.241
[IP Address] 109.123.244.46
[IP Address] 23.88.26.187
[IP Address] 38.242.219.13
[IP Address] 5.189.183.63
[IP Address] 62.171.153.221
[IP Address] 38.242.211.87
[IP Address] 45.14.194.253
[IP Address] 173.212.206.227
[IP Address] 209.145.52.172
[IP Address] 130.185.119.198
[IP Address] 173.249.18.251
[IP Address] 176.57.184.97
[IP Address] 209.126.11.251
[IP Address] 144.91.72.17
[IP Address] 84.247.181.64
Mitigation:
Implement a well-tuned EDR solution with regular signature updates for all network assets.
Centralized monitoring for signs of lateral movement within the network is essential.
Monitor for large data transfers out of the network, even to nearby IP addresses.
Consider adopting secure access service edge (SASE) solutions to enhance security posture.
Encourage organizations to treat all compromises as serious threats, regardless of their origin.