Thursday, January 23, 2025
HomeCyber AttackRussian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Published on

SIEM as a Service

Follow Us on Google News

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to the Pakistani group Storm-0156, which allows Secret Blizzard to access networks of Afghan government entities and Pakistani operators. 

They have deployed their own malware, TwoDash and Statuezy, and leveraged Storm-0156’s malware, Waiscot and CrimsonRAT, to gather intelligence on targeted networks, which demonstrates Secret Blizzard’s sophisticated techniques and their ability to exploit vulnerabilities in other threat actor’s infrastructure.

It is a sophisticated nation-state actor that leverages the infrastructure of other threat actors to conduct stealthy and persistent cyberattacks.

By compromising C2 servers and workstations, they gain unauthorized access to sensitive data and expand their operational reach. 

It allows them to bypass detection and attribution mechanisms, enabling them to target critical infrastructure and government networks, as their ability to exploit trust relationships and leverage stolen tools highlights the evolving threat landscape and the need for robust cybersecurity measures.

Logical Connections between Storm-0156’s Hak5 Cloud C2 and known C2s.

Storm-0156, a Pakistani nation-state actor, has been observed using Hak5 hardware-based tools to compromise targets in India and Afghanistan, which are deployed via physical access, bypass traditional security measures, and enable data exfiltration and script execution. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The campaign, initiated in late 2022 and continuing into early 2023, targeted government organizations, including the Ministry of Foreign Affairs and defense entities, highlighting Storm-0156’s adaptability and persistent focus on compromising critical infrastructure. 

The group leveraged compromised Storm-0156 C2 infrastructure to access Afghan government networks.

By exploiting vulnerabilities and deploying their custom malware, “Two-Dash,” they gained persistent access to critical systems. 

While the group’s operations, spanning from late 2022 to mid-2023, involved extensive data exfiltration and potential espionage activities targeting sensitive government information.

Secret Blizzard infiltrating both Storm-0156 and Afghan government networks

According to Lumen, it breached Storm-0156’s infrastructure, gaining access to sensitive information and potentially compromising additional networks by leveraging this access to target Indian government and military networks, interacting with CrimsonRAT and Waiscot C2s. 

While Secret Blizzard didn’t deploy their own agents, they likely exploited existing infrastructure to gather intelligence and execute attacks, which highlights the evolving threat landscape and the need for robust cybersecurity measures to protect critical infrastructure.

A Russian FSB-linked threat actor has adopted a unique tactic of compromising other threat actors’ C2 servers to conceal its operations and shift blame, which, combined with sophisticated techniques and a focus on data exfiltration, poses a significant threat. 

To mitigate this risk, organizations should implement robust security measures, including a well-tuned EDR solution, monitoring for large data transfers, and considering SASE solutions.

The security community can better protect against these advanced threats by staying vigilant and sharing threat intelligence.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...