Introduction
The Russian cyber espionage group Secret Blizzard [3] [6], also known by various aliases such as Turla and Venomous Bear, has been a significant player in global cyber espionage since at least 2004. Attributed to Center 16 of Russia’s Federal Security Service (FSB) [6], this sophisticated nation-state actor primarily targets Windows infrastructure to conduct state-level espionage. Their operations focus on ministries of foreign affairs, embassies [6] [8], defense departments [6] [8], and related organizations worldwide [8], aiming to establish long-term access to valuable systems for politically significant intelligence [8].
Description
Russian cyber espionage group Secret Blizzard [3] [5] [6], also known as Turla [1] [4] [5] [6] [7], Iron Hunter [6], Venomous Bear [6], WhiteBear [6], Waterbug [6], or Snake [6], has been active since at least 2004 and is attributed to Center 16 of Russia’s Federal Security Service (FSB) [6]. This sophisticated nation-state actor primarily targets Windows infrastructure and conducts state-level espionage against ministries of foreign affairs, embassies [6] [8], defense departments [6] [8], and related organizations worldwide [8], aiming to establish long-term access to valuable systems for politically significant intelligence [8].
In December 2022 [1] [3] [4] [9], Secret Blizzard infiltrated the command-and-control (C2) infrastructure of the Pakistan-based espionage group Storm-0156 [9], also known as SideCopy and Transparent Tribe [3]. This operation enabled them to access 33 compromised C2 nodes, significantly enhancing their operational capabilities. By mid-2023 [3] [7] [9], they had expanded their control to these nodes, targeting sensitive networks within Afghan government agencies, such as the Ministry of Foreign Affairs and the General Directorate of Intelligence (GDI) [1] [2] [4] [9], as well as Indian military and defense institutions [7]. They employed custom malware [1], including the TwoDash .NET downloader and the trojan Statuezy [10], which monitors clipboard data [1], to infiltrate these networks, with evidence of the TwoDash backdoor being deployed directly to desktops [1] [9].
Secret Blizzard has transitioned from using a variant of the TinyTurla backdoor to deploying TwoDash and Statuezy on Storm-0156 C2 servers. This access allows them to control Storm-0156’s backdoors [10], such as CrimsonRAT and Wainscot [1] [8] [10], while maintaining communication with their own C2 infrastructure [10]. Both groups exploit DLL-sideloading techniques [10], using a renamed credwiz.exe to load payloads like the MiniPocket backdoor or TwoDash through duser.dll [10]. By mimicking Storm-0156’s operations [8] [10], Secret Blizzard employs similar techniques and filenames, including search-order hijacking to deploy TwoDash in c:\windows\system32\oci.dll [10], sideloaded via msdtc.exe [10].
Recent findings indicate that by April 2023, Secret Blizzard had compromised the workstations of Storm-0156 operators [9], potentially accessing sensitive operational data [1] [9], including tools [1] [2] [4] [7] [8] [9], network credentials [1] [3] [9], and exfiltrated information from previous operations conducted by the Pakistani-based group [5]. Their strategic positioning and backdoor deployment have significantly impacted global cybersecurity [8], enabling them to infiltrate critical infrastructure in regions such as Afghanistan and South Asia. Their tactics encompass watering holes, adversary-in-the-middle (AiTM) attacks [6], and spear-phishing campaigns [6], utilizing in-house tools and malware such as Uroburos [6], while also targeting infrastructure used by other threat actors to stage exfiltrated data for their own espionage activities [6]. This strategic adaptation may reflect internal dynamics within the FSB or gaps in threat intelligence observations [10], allowing Secret Blizzard to establish footholds in networks with minimal effort [10], although it may lead to misalignment with their collection priorities and potential exposure due to poor operational security of the initial compromise [10].
As operations continue into mid-2024 [1] [9], the group has expanded its malware arsenal to include Wasicot and CrimsonRAT [9], appropriated from the Pakistani intrusions [1] [3] [9], complicating incident response efforts that may misattribute the attacks to other groups [9]. Monitoring efforts revealed 11 active C2 nodes from December 2022 through mid-2023 [3], with connections to three newly identified VPS IP addresses associated with Secret Blizzard [3]. In 2024 [3], the group rotated their C2 nodes [3], continuing their operations with a focus on high-priority targets [3], particularly in India. A significant observation was the detection of TwoDash beaconing activity from both Storm-0156 C2 nodes and a Pakistani IP address [3], indicating a compromise of Storm-0156 operators [3]. Continuous monitoring in 2024 showed interactions with a subset of CrimsonRAT C2 nodes [3], suggesting a selective engagement strategy focused on priority targets [3].
Secret Blizzard [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], along with its parent organization [3], the Russian FSB [2] [3], employs sophisticated tradecraft to maintain operational secrecy [3]. Unlike other Russian groups that utilize various techniques for plausible deniability [3], Secret Blizzard’s strategy of compromising the C2 servers of other threat actors allows them to gather intelligence while shifting blame to those groups [3], a tactic likely to persist as scrutiny of Russian cyber activities continues [3]. This approach is consistent with their historical pattern of exploiting the infrastructure of other APTs, having previously accessed tools from Iran’s APT 34 (Hazel Sandstorm [4], OilRig [4], Crambus) in 2017 [4]. Future operations are expected to reveal further details about Secret Blizzard’s campaigns [4], including its use of bots and backdoors from other threat actors [4], allowing them to efficiently access a wide range of sensitive data while masking their activities as originating from other groups [4].
Conclusion
Secret Blizzard’s operations have significantly impacted global cybersecurity, particularly in regions such as Afghanistan and South Asia. Their sophisticated tactics, including the compromise of other threat actors’ infrastructure, enable them to gather intelligence while maintaining plausible deniability. As they continue to expand their malware arsenal and adapt their strategies, it is crucial for cybersecurity professionals to enhance monitoring and incident response efforts to mitigate the risks posed by such advanced persistent threats. Future operations are likely to reveal more about Secret Blizzard’s capabilities and strategies, emphasizing the need for continuous vigilance and adaptation in the face of evolving cyber threats.
References
[1] https://nquiringminds.com/cybernews/russian-hacking-group-turla-infiltrates-pakistani-apt-storm0156-for-espionage/
[2] https://cyberpress.org/russian-blizzard-steal-data-from-rival-networks/
[3] https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/
[4] https://www.darkreading.com/threat-intelligence/russian-fsb-hackers-breach-pakistan-storm-0156
[5] https://thecyberwire.com/newsletters/daily-briefing/13/229
[6] https://www.infosecurity-magazine.com/news/russia-hackers-exploit-rival/
[7] https://www.news9live.com/technology/tech-news/turla-russian-hackers-exploit-pakistani-networks-2766715
[8] https://cybersecuritynews.com/secret-blizzard/
[9] https://cyberscoop.com/turla-infiltrates-pakistani-apt-networks-microsoft-lumen/
[10] https://securityaffairs.com/171699/apt/secret-blizzard-using-infrastructure-of-other-threat-actors.html