Russian Hackers Exploit Rival Attackers' Infrastructure for Espionage
Summary:
Secret Blizzard, a Russian state-sponsored advanced persistent threat group attributed to Center 16 of the FSB, has developed a unique strategy of leveraging tools and infrastructure from other threat actors to enhance its espionage operations. Over the past seven years, Secret Blizzard has used the tools and infrastructure of at least six different threat groups, including both state-sponsored and cybercriminal entities. This approach allows them to piggyback on existing footholds and infrastructure, reducing their effort while maintaining operational stealth. These tactics are exclusively employed for espionage purposes, such as gathering exfiltrated data staged by other threat actors or deploying their own backdoors to compromised devices.
In a collaborative effort, Microsoft Threat Intelligence and Black Lotus Labs uncovered Secret Blizzard's exploitation of the infrastructure of Storm-0156, a Pakistan-based espionage group also known as SideCopy, Transparent Tribe, and APT36. Since November 2022, Secret Blizzard has used Storm-0156’s C2 servers to deploy its own backdoors, including TinyTurla, TwoDash, and MiniPocket. They also commandeered Storm-0156’s tools, such as CrimsonRAT and Wainscot, to further their objectives. Additionally, Secret Blizzard leveraged advanced techniques like DLL side-loading and search-order hijacking to execute malicious payloads and evade detection.
Analyst Comments:
Notably, the group’s activities have targeted South Asian entities, including government and military institutions in Afghanistan and India. In Afghanistan, Secret Blizzard deployed backdoors to devices within government organizations, such as the Ministry of Foreign Affairs and the General Directorate of Intelligence. In India, they primarily focused on Storm-0156’s infrastructure, exfiltrating data from military and defense-related institutions rather than directly targeting devices. This difference in approach may reflect political considerations or operational directives within the FSB.
Suggested Corrections:
To harden networks against the Secret Blizzard activity listed above, defenders can implement the following:
Strengthen Microsoft Defender for Endpoint configuration
Strengthen Microsoft Defender Antivirus configuration
Strengthen operating environment configuration
Link(s):
https://www.infosecurity-magazine.com/news/russia-hackers-exploit-rival/
https://www.microsoft.com/en-us/sec...sing-storm-0156-infrastructure-for-espionage/
Secret Blizzard, a Russian state-sponsored advanced persistent threat group attributed to Center 16 of the FSB, has developed a unique strategy of leveraging tools and infrastructure from other threat actors to enhance its espionage operations. Over the past seven years, Secret Blizzard has used the tools and infrastructure of at least six different threat groups, including both state-sponsored and cybercriminal entities. This approach allows them to piggyback on existing footholds and infrastructure, reducing their effort while maintaining operational stealth. These tactics are exclusively employed for espionage purposes, such as gathering exfiltrated data staged by other threat actors or deploying their own backdoors to compromised devices.
In a collaborative effort, Microsoft Threat Intelligence and Black Lotus Labs uncovered Secret Blizzard's exploitation of the infrastructure of Storm-0156, a Pakistan-based espionage group also known as SideCopy, Transparent Tribe, and APT36. Since November 2022, Secret Blizzard has used Storm-0156’s C2 servers to deploy its own backdoors, including TinyTurla, TwoDash, and MiniPocket. They also commandeered Storm-0156’s tools, such as CrimsonRAT and Wainscot, to further their objectives. Additionally, Secret Blizzard leveraged advanced techniques like DLL side-loading and search-order hijacking to execute malicious payloads and evade detection.
Analyst Comments:
Notably, the group’s activities have targeted South Asian entities, including government and military institutions in Afghanistan and India. In Afghanistan, Secret Blizzard deployed backdoors to devices within government organizations, such as the Ministry of Foreign Affairs and the General Directorate of Intelligence. In India, they primarily focused on Storm-0156’s infrastructure, exfiltrating data from military and defense-related institutions rather than directly targeting devices. This difference in approach may reflect political considerations or operational directives within the FSB.
Suggested Corrections:
To harden networks against the Secret Blizzard activity listed above, defenders can implement the following:
Strengthen Microsoft Defender for Endpoint configuration
- Microsoft Defender XDR customers can implement attack surface reduction rules to harden an environment against techniques used by threat actors
- Block execution of potentially obfuscated scripts
- Block process creations originating from PSExec and WMI commands
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block abuse of exploited vulnerable signed drivers
- Block Webshell creation for Servers
- Enable network protection in Microsoft Defender for Endpoint
- Ensure tamper protection is enabled in Microsoft Dender for Endpoint
- Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode
- Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume
Strengthen Microsoft Defender Antivirus configuration
- Turn on PUA protection in block mode in Microsoft Defender Antivirus
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving threat actor tools and techniques
- Turn on Microsoft Defender Antivirus real-time protection
Strengthen operating environment configuration
- Encourage users to use Microsoft Edge and other web browsers that support SmartScreen which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts
- Turn on and monitor PowerShell module and script block logging
- Implement PowerShell execution policies to control conditions under which PowerShell can load configuration files and run scripts.
- Turn on and monitor PowerShell module and script block logging.
Link(s):
https://www.infosecurity-magazine.com/news/russia-hackers-exploit-rival/
https://www.microsoft.com/en-us/sec...sing-storm-0156-infrastructure-for-espionage/