Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to the Pakistani group Storm-0156, which allows Secret Blizzard to access networks of Afghan government entities and Pakistani operators. 

They have deployed their own malware, TwoDash and Statuezy, and leveraged Storm-0156’s malware, Waiscot and CrimsonRAT, to gather intelligence on targeted networks, which demonstrates Secret Blizzard’s sophisticated techniques and their ability to exploit vulnerabilities in other threat actor’s infrastructure.

It is a sophisticated nation-state actor that leverages the infrastructure of other threat actors to conduct stealthy and persistent cyberattacks.

By compromising C2 servers and workstations, they gain unauthorized access to sensitive data and expand their operational reach. 

It allows them to bypass detection and attribution mechanisms, enabling them to target critical infrastructure and government networks, as their ability to exploit trust relationships and leverage stolen tools highlights the evolving threat landscape and the need for robust cybersecurity measures.

Storm-0156, a Pakistani nation-state actor, has been observed using Hak5 hardware-based tools to compromise targets in India and Afghanistan, which are deployed via physical access, bypass traditional security measures, and enable data exfiltration and script execution. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The campaign, initiated in late 2022 and continuing into early 2023, targeted government organizations, including the Ministry of Foreign Affairs and defense entities, highlighting Storm-0156’s adaptability and persistent focus on compromising critical infrastructure. 

The group leveraged compromised Storm-0156 C2 infrastructure to access Afghan government networks.

By exploiting vulnerabilities and deploying their custom malware, “Two-Dash,” they gained persistent access to critical systems. 

While the group’s operations, spanning from late 2022 to mid-2023, involved extensive data exfiltration and potential espionage activities targeting sensitive government information.

According to Lumen, it breached Storm-0156’s infrastructure, gaining access to sensitive information and potentially compromising additional networks by leveraging this access to target Indian government and military networks, interacting with CrimsonRAT and Waiscot C2s. 

While Secret Blizzard didn’t deploy their own agents, they likely exploited existing infrastructure to gather intelligence and execute attacks, which highlights the evolving threat landscape and the need for robust cybersecurity measures to protect critical infrastructure.

A Russian FSB-linked threat actor has adopted a unique tactic of compromising other threat actors’ C2 servers to conceal its operations and shift blame, which, combined with sophisticated techniques and a focus on data exfiltration, poses a significant threat. 

To mitigate this risk, organizations should implement robust security measures, including a well-tuned EDR solution, monitoring for large data transfers, and considering SASE solutions.

The security community can better protect against these advanced threats by staying vigilant and sharing threat intelligence.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses