blog.centurylink.com
Open in
urlscan Pro
50.112.230.199
Public Scan
URL:
https://blog.centurylink.com/snowblind-the-invisible-hand-of-secret-blizzard/?utm_source=rss&utm_medium=rss&utm_campaign=snow...
Submission: On December 05 via api from IN — Scanned from US
Submission: On December 05 via api from IN — Scanned from US
Form analysis 1 forms found in the DOM
Name: searchform — GET https://blog.centurylink.com//
<form role="search" method="get" name="searchform" id="searchform" action="https://blog.centurylink.com//">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" placeholder="Enter Keyword">
<div class="search_tagline">Press enter/return to begin your search</div>
<button>
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>Text Content
* Technologies
* Black Lotus Labs
* Cloud
* Edge Compute
* Collaboration
* Managed & Professional Services
* Network
* Cybersecurity
* Customer Stories
* Business Advice
* Business Continuity & Disaster Recovery
* Customer Experience
* Data-Driven Business
* Operational Efficiency
* Tech Trends
* Industries
* Financial Services Insights
* Healthcare Insights
* Gaming Insights
* Manufacturing Insights
* Media and Entertainment Insights
* Public Sector Insights
* Retail Insights
* Technology Insights
* About Us
* Leadership Perspectives
* NewsRoom
* Technologies
* Black Lotus Labs
* Cloud
* Edge Compute
* Collaboration
* Managed & Professional Services
* Network
* Cybersecurity
* Customer Stories
* Business Advice
* Business Continuity & Disaster Recovery
* Customer Experience
* Data-Driven Business
* Operational Efficiency
* Tech Trends
* Industries
* Financial Services Insights
* Healthcare Insights
* Gaming Insights
* Manufacturing Insights
* Media and Entertainment Insights
* Public Sector Insights
* Retail Insights
* Technology Insights
* About Us
* Leadership Perspectives
* NewsRoom
SNOWBLIND: THE INVISIBLE HAND OF SECRET BLIZZARD
Black Lotus Labs Posted On December 4, 2024
0
5.5K Views
--------------------------------------------------------------------------------
0
Shares
* Share On Facebook
* Tweet It
*
*
*
FacebookTwitterLinkedInPinterestEmailShare
EXECUTIVE SUMMARY
Lumen’s Black Lotus Labs has uncovered a longstanding campaign orchestrated by
the Russian-based threat actor known as “Secret Blizzard” (also referred to as
Turla). This group has successfully infiltrated 33 separate command-and-control
(C2) nodes used by Pakistani-based actor, “Storm-0156.” Known for their focus on
espionage, Storm-0156 is associated in public reporting with two activity
clusters, “SideCopy” and “Transparent Tribe.” This latest campaign, spanning the
last two years, is the fourth recorded case of Secret Blizzard embedding
themselves in another group’s operations since 2019 when they were first seen
repurposing the C2s of an Iranian threat group.
In December 2022, Secret Blizzard initially gained access to a Storm-0156 C2
server and by mid-2023 had expanded their control to a number of C2s associated
with the Storm-0156 actor. From their vantage point within these servers, Secret
Blizzard leveraged the pre-existing access obtained by Storm-0156 to deploy
their own malware, “TwoDash” and “Statuezy,” into a handful of networks linked
to various entities within the Afghan government. Notably, in April 2023, Secret
Blizzard advanced their operations by moving into the workstations of
Pakistani-based operators. Through this channel, they potentially acquired a
wealth of data. This bounty included insights into Storm-0156’s tooling,
credentials for both C2s and targeted networks, as well as exfiltrated data
collected from prior operations.
By mid-2024, Secret Blizzard had expanded their focus to include the use of two
other malware families, Waiscot and CrimsonRAT, which they appropriated from the
Pakistani workstations. CrimsonRAT was previously found in use against
government and military targets in India. Secret Blizzard later took advantage
of their access to gather data from prior deployments of the malware.
Lumen Technologies extends its gratitude to our partners at the Microsoft Threat
Intelligence Team (MSTIC) for their invaluable contributions in tracking and
mitigating this threat. This report is released in conjunction with MSTIC’s
blog, which provides further insight into these events. The Microsoft blog can
be found here.
INTRODUCTION
Black Lotus Labs has monitored a diverse array of nation-state actors, including
a previous report on a Secret Blizzard campaign that utilized strategic
compromises against Ukrainian websites, which is one characteristic that
distinguishes this group more than any other: their audacity in exploiting other
threat actors’ C2 servers for their own purposes. This strategy allows Secret
Blizzard to remotely acquire sensitive files that were previously exfiltrated
from compromised networks, without employing (and possibly exposing) their own
tools; crucially, operations such as these avoid or delay attribution. In
scenarios where the other threat actors have not acquired all the data of
interest on their targets, they can search the data collected on C2 nodes for
stolen authentication materials to gain access or use existing access to expand
collection and deploy their agents into a network. By doing so, Secret Blizzard
essentially takes advantage of the foothold created by the original threat
actor.
While this method of data collection offers unique benefits, a malicious actor
who stops there would be limited to gathering data or gaining access only within
networks controlled by a single C2 node. Secret Blizzard continued to exploit
trust relations by moving from an actor’s C2 nodes into the operator’s
workstations. We believe that nation-state and cybercriminal endpoints and
malware are especially vulnerable to exploitation since they are unable to use
modern security stacks for monitoring access and protecting against
exploitation. When threat actors have installed security products, it has
resulted in the disclosure of their previously unknown exploits and tools. We
suspect that the routine deletion of log data, a standard best practice for
threat actors, compounds the exposure.
This report illustrates the meticulous and systematic approach Secret Blizzard
took to expand their operations in the middle east over the past two years. We
will start by briefly describing the Storm-0156 (SideCopy/Transparent Tribe)
modus operandi, then show how Storm-0156’s access was leveraged, allowing Secret
Blizzard to target Afghanistan government networks beginning in 2022. We suspect
they manipulated the trust relationship from those Storm-0156 C2s to move into
the Pakistani computer network operators’ workstations, pilfering data from
those nodes along the way, to include the Waiscot and CrimsonRAT malware used to
interact with Indian-based networks.
TECHNICAL DETAILS
OVERVIEW OF STORM-0156 MODUS OPERANDI AND PREVIOUSLY UNDOCUMENTED TRADECRAFT
Black Lotus Labs had previously tracked an activity cluster associated with
Storm-0156, a nation-state actor operating out of Pakistan. This threat actor
uses a diverse array of both open-source tools such as AllaKore, and custom
remote access trojans over the past several years. While Storm-0156 has
demonstrated proficiency in adapting their tools to different operating systems,
including the recent integration of python-based tools for Linux systems, their
fundamental tactics, techniques, and procedures (TTPs) have remained relatively
unchanged. Broadly speaking, Storm-0156’s engagements primarily target regional
governmental organizations, with a persistent focus on Afghanistan and India,
including entities in government, technology, and industrial control systems
such as power generation and distribution.
In January 2023, Lumen observed a Storm-0156 campaign, using a single
VPS,185.217.125[.]195 that had a “hak5 Cloud C2” banner and was administered
from known Storm-0156 C2s. This banner indicated that the server was acting as a
cloud-based C2 configured to control a suite of Hak5 tools. Hak5 equipment is
unique as it offers hardware-based solutions for “red teams, pentesters, cyber
security students and IT professionals.” Unlike the commodity RATs previously
used by Storm-0156, Hak5 equipment requires having physical access to a
workstation, a network cable, or proximity to a WiFi Pineapple. While the use of
close access equipment has been observed before, it is seldom reported upon.
Once installed, these devices can either surreptitiously retrieve data or run
predefined scripts. The advantage of hardware-based attacks lies in their
design, which allows users to effectively bypass standard EDR/XDR protections.
This campaign came to light after the new server was administered from two known
Storm-0156 operational nodes; the first node, 209.126.6[.]227, connected from
January through February 2023. The second node, 209.126.81[.]42 reported by
Qi’anxin, connected to this new server from February through July 2023. Analysis
of the telemetry associated with this Hak5 Cloud C2 revealed a significant
volume of data flow associated with a limited number of entities. These were an
Indian Ministry of Foreign Affairs office in Europe, an Indian national defense
organization and several other government bodies, all taking place from December
2022 through March 2023.
Figure 1: Logical Connections between Storm-0156’s Hak5 Cloud C2 and known C2s.
SECRET BLIZZARD GAINS ACCESS TO STORM-0156 C2S
While monitoring the Storm-0156 campaigns, we uncovered 11 C2 nodes that were
active from December 2022 through mid-2023. Black Lotus Labs observed malware
samples or public reporting corresponding for 8 of the 11 nodes. Closer analysis
revealed that these 11 all communicated with three newly identified VPS IP
addresses. The VPSs caught our eye, as they were leased through a provider that
we had not seen used in previous Storm-0156 campaigns. Our counterparts at MSTIC
were able to confirm that the three nodes were associated with Secret Blizzard,
who used the following three IP addresses from at least December 2022 through
August 2023: 146.70.158[.]90, 162.213.195[.]129, 146.70.81[.]81.
Although we cannot be certain how Secret Blizzard identified the remaining three
nodes that did not correspond to public malware samples or reporting, we suspect
they could have used a method of Remote Desktop Protocol (RDP) pivoting outlined
here by Team Cymru. The full list of Storm-0156 IP addresses and the timeframe
of interaction with the 2023 Secret Blizzard C2s are as follows:
* 154.53.42[.]194; Dec 11, 2022 – Oct 7, 2024
* 66.219.22[.]252; Dec 12, 2022 – July 9, 2023
* 66.219.22[.]102; Dec 27, 2022 – Aug 9, 2023
* 144.126.152[.]205; Dec 28, 2022 – Mar 2, 2023
* 185.229.119[.]60; Jan 31 – Mar 14, 2023
* 164.68.108[.]153; Feb 22 – Aug 21, 2023
* 209.126.6[.]227; Feb 27 – Mar 22, 2023
* 209.126.81[.]42; April 30 – July 4, 2023
* 209.126.7[.]8; May 5 – Aug 22, 2023
* 154.38.160[.]218; April 12 – Aug 23, 2023
* 144.126.154[.]84; June 23 – Aug 21, 2023
We observed a continuation of this same behavior in 2024; however, Secret
Blizzard rotated their C2 nodes in 2024 to the following IP addresses;
146.70.158[.]90, 162.213.195[.]192. The list of nine Storm-0156 IP addresses and
the timeframe of interaction with the 2024 Secret Blizzard C2s are shown below:
* 173.212.252[.]2; May 29 – Oct 10, 2024
* 185.213.27[.]94; May 26 – Aug 24, 2024
* 167.86.113[.]241; May 28 – Aug 9, 2024
* 109.123.244[.]46; May 28 – Oct 18, 2024
* 23.88.26[.]187; May 29 – Oct 20, 2024
* 173.249.7[.]111; Aug 28 – Oct 24, 2024
* 62.171.153[.]221; May 27 – Oct 21, 2024
* 173.212.252[.]2; May 29 – Nov 20, 2024
* 149.102.140[.]36; May 28 – Sept 2, 2024
SECRET BLIZZARD DROPS THEIR OWN TOOLING INTO AFGHAN GOVERNMENT NETWORKS
During our monitoring of Secret Blizzard’s interactions with the Storm-0156 C2
nodes, we identified beaconing activity from various Afghan government networks
that Storm-0156 threat actors had previously compromised. This leads us to
believe, with high confidence, that Secret Blizzard used their access to the
Storm-0156 C2s to gather essential network information and deploy their own
malware, “Two-Dash,” into the Afghan government networks.
We observed communications from several IP addresses based in Afghanistan. The
duration and volume of data transferred indicated that three of these IP
addresses showed beaconing activity for just a week, suggesting that Secret
Blizzard chose not to maintain long-term access. However, three other networks
appeared to be of greater interest, as they showed beaconing activity over
months with significant data transfers:
* Secret Blizzard C2 node, 146.70.158[.]90, found interacting with six IP
addresses and was active from at least January 23, 2023, through September 4,
2023.
* Secret Blizzard C2 node, 162.213.195[.]129, communicated with five IP
addresses and was active from December 29, 2022, through September 4, 2023.
* Secret Blizzard C2 node, 167.88.183[.]238, transmitted to only one IP address
on April 17, 2023.
From at least May through October 2024, we observed persistent connections from
the same handful of Afghan government networks, the only notable difference is
that the C2 rotated aligning with the prior Storm-0156 infections to
143.198.73[.]108.
INTO THE VOID: SURREPTITIOUS ENTRY TO THE PAKISTANI OPERATOR NETWORK
The most critical observation of this campaign was the detection of Two-Dash
beaconing activity, not only from Storm-0156 C2 nodes in Afghanistan, but also
from a dynamic IP address originating in Pakistan.
On May 4th, 2023, the Pakistani IP address 182.188.171[.]52 connected to a known
AllaKore C2 node via Remote Desktop Protocol (RDP) from 6:19:00 through 10:48:00
UTC. During this time window, the same Pakistani IP address 182.188.171[.]52
established a connection to the known Secret Blizzard IP address
146.70.158[.]90, from 05:57:00 through 08:13:00. Given the connection duration
of almost two hours, and the fact that the Secret Blizzard IP address
146.70.158[.]90 was used as a C2 server to both Storm-0156 C2 nodes and Afghan
government victims, it is highly indicative that they compromised Storm-0156
operators themselves. We then observed intermittent connections from various
dynamic IP addresses that geolocate to Pakistan connecting to known Secret
Blizzard C2s.
We suspect they leveraged access to the Storm-0156 C2 panel, then abused a trust
relationship to move laterally into the Storm-0156 operator’s workstation. This
achievement could have enabled them to access additional networks previously
compromised by Storm-0156, which includes other middle eastern governmental
entities.
Figure 2: Secret Blizzard infiltrating both Storm-0156 and Afghan government
networks
DOUBLE SECRET PROBATION: SECRET BLIZZARD TARGETS C2S ASSOCIATED WITH INDIAN
NETWORK
Starting in 2024, Lumen’s continuous monitoring of the Secret Blizzard
infrastructure revealed interactions with a subset of CrimsonRAT C2 nodes, which
had previously been used to target the Indian government and military. Notably,
Secret Blizzard only engaged with seven CrimsonRAT C2s, though our data
indicated that several more were available. This selective engagement implies
that, while they had the capability to access all nodes, their tool deployment
was strategically limited to those associated with the highest priority targets
in India. The seven that were most attractive were:
* 38.242.219[.]13; May 29 – Oct 20, 2024
* 5.189.183[.]63; June 2 – Aug 11, 2024
* 62.171.153[.]221; May 27 – Oct 13, 2024
* 38.242.211[.]87; May 29 – Oct 5, 2024
* 45.14.194[.]253; May 26 – Sept 18, 2024
* 173.212.206[.]227; May 29 – Aug 2, 2024
* 209.145.52[.]172; May 27 – Nov 21, 2024
Lumen also observed Storm-0156’s Indian-based targeting with a previously
undocumented malware family dubbed Waiscot, which was a Go-compiled remote
access trojan. The Waiscot malware along with other Storm-0156 malware families
were used to interact with the following Indian-based IP addresses:
* 130.185.119[.]198; Dec 9, 2022 – Aug 14, 2024
* 173.249.18[.]251; Feb 15 – Aug 24, 2023
* 176.57.184[.]97; May 31 – Oct 20, 2024
* 209.126.11[.]251; May 25 – June 13, 2024
We also observed other malware families used to target Indian-based
organizations such as ActionRat, those IP addresses and timeframes were as
follows:
* 144.91.72[.]17; Dec 16, 2022 – April 26, 2023
* 84.247.181[.]64; May 27 – Nov 17, 2024
An interesting observation was that although Lumen detected Secret Blizzard
interacting with various C2s, we did not see Secret Blizzard deploying their own
agents, like Two-Dash or Statuezy, into Indian networks. It remains unclear
whether they moved downstream into those victims, as they might have either
taken relevant data from the C2s or were using the existing agents that
Storm-0156 had already established to submit their data requests.
CONCLUSION
The Secret Blizzard activity cluster, along with its parent organization, the
Russian FSB, has consistently employed sophisticated tradecraft to achieve their
goals while maintaining the secrecy of their operations. Unlike other Russian
groups, which often use a variety of techniques to create plausible deniability—
such as operating through residential proxy networks managed by cybercriminals
or using commercially available frameworks like Cobalt Strike—Turla has opted
for a unique strategy. Compromising the command-and-control servers of other
threat actors not only helps them gather the information they seek but also
shifts the blame to other groups if incident response efforts reveal
exploitation on these networks. We have documented this case study because we
believe this approach will likely persist, especially as Western nations,
including the United States and European allies, continue to uncover and condemn
Russian activities in cyberspace.
Black Lotus Labs continues to monitor and track nation-state Russian activity
clusters to help protect and better secure the internet. To that end, we have
blocked traffic across the Lumen global backbone to all the architecture related
to both Secret Blizzard and the various sub-clusters of Storm-0156. We have
added the indicators of compromise (IoCs) from this campaign into the threat
intelligence feed that fuels the Lumen Connected Security portfolio. We will
continue to monitor new infrastructure, targeting activity, and expanding TTPs,
and we will continue to collaborate with the security research community to
share findings related to this activity.
We strongly recommend treating all compromises as equally concerning, regardless
of whether the activity flags for a nation-state malware family or appears
related to cybercrime, as both have been co-opted by Secret Blizzard in the
past. We encourage the community to monitor for and alert on these and any
similar IoCs. We also advise the following:
* A well-tuned EDR solution that routinely receives signature updates for all
network assets, as well as centralized monitoring looking for signs of
lateral movement within a network.
* Look for large data transfers out of the network, even if the destination IP
address is physically located in the same geographical area.
* All organizations: Consider comprehensive secure access service edge (SASE)
or similar solutions to bolster their security posture and enable robust
detection on network-based communications.
Analysis of Secret Blizzard’s activity was performed by Danny Adamitis.
Technical editing by Ryan English.
For additional IoCs associated with this campaign, please visit our GitHub page.
If you would like to collaborate on similar research, please contact us on
social media @BlackLotusLabs.
This information is provided “as is” without any warranty or condition of any
kind, either express or implied. Use of this information is at the end user’s
own risk.
Post Views: 5,547
RELATED POSTS:
1. Taking a Holistic Approach to the White House Cyber Executive Order
2. Got SOCaaS? How Automation Can Alleviate Cybersecurity Burnout
3. One Sock Fits All: The use and abuse of the NSOCKS botnet
0
Shares
* Share On Facebook
* Tweet It
*
*
*
--------------------------------------------------------------------------------
CyberthreatsData CenterDefense & IntelligenceInternetNetwork SecurityThought
LeadershipZero Trust Network Access (ZTNA)
Author
BLACK LOTUS LABS
The mission of Black Lotus Labs is to leverage our network visibility to help
protect customers and keep the internet clean.
TRENDING NOW
ONE SOCK FITS ALL: THE USE AND ABUSE OF THE NSOCKS BOTNET
Black Lotus Labs November 19, 2024
SECURE YOUR FUTURE: THE BENEFITS OF ETHICAL AI GOVERNANCE
Wade Franklin November 21, 2024
YOU MAY ALSO LIKE
Secure Your Future: The Benefits of Ethical AI Governance
November 21, 2024
One Sock Fits All: The use and abuse of the NSOCKS botnet
November 19, 2024
How Managed IT Services Can Solve Your Technical Resource Gaps
November 15, 2024
* CATEGORIES
Adaptive Networking
Connected Security
Hybrid Cloud
Communications and Collaboration
Edge Computing
SASE
* Lumen is guided by our belief that humanity is at its best when technology
advances the way we live and work. With 450,000 route fiber miles serving
customers in more than 60 countries, we deliver the fastest, most secure
platform for applications and data to help businesses, government and
communities deliver amazing experiences.
*
*
*
*
*
Services not available everywhere. ©2022 Lumen Technologies. All Rights
Reserved.
*
*
*
*
*
Press enter/return to begin your search
✓
Thanks for sharing!
AddToAny
More…
This site uses cookies and other technologies that automatically collect
information about visitor activity on the site to enhance user experience,
analyze performance and traffic, and facilitate sharing of that information with
our social media, advertising and analytics partners. Click here for details. By
continuing to use this site, you agree to the site’s use of these technologies,
and also agree to our Privacy Notice and Website User Agreement.
Accept All
Cookie Settings
Your Opt Out Preference Signal is Honored
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Cookie Notice
User ID:
This User ID will be used as a unique identifier while storing and accessing
your preferences for future.
Timestamp: --
Allow All
MANAGE CONSENT PREFERENCES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices