Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage

Dec. 5, 2024, 9:54 a.m.

Description

The Russian state-sponsored threat actor Secret Blizzard has been observed compromising the infrastructure of Storm-0156, a Pakistan-based espionage group, to conduct their own espionage operations. Since November 2022, Secret Blizzard has used Storm-0156's backdoors to deploy their own malware on compromised devices, particularly targeting government entities in Afghanistan and India. The threat actor has employed various tools, including TinyTurla variant, TwoDash, Statuezy, and MiniPocket, alongside Storm-0156's CrimsonRAT and Wainscot backdoors. This activity highlights Secret Blizzard's tactic of leveraging other actors' infrastructure to diversify attack vectors and facilitate intelligence collection.

External References

https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/
https://otx.alienvault.com/pulse/6751166b69d4a9631586f31e
Tags
espionage
russia
2024-12-05
tinyturla
storm-0156
secret blizzard

Date

  • Created: Dec. 5, 2024, 2:56 a.m.
  • Published: Dec. 5, 2024, 2:56 a.m.
  • Modified: Dec. 5, 2024, 9:54 a.m.

Attack Patterns

  • Wainscot
  • CrimsonRAT
  • MiniPocket
  • Statuezy
  • TwoDash
  • TinyTurla - S0668
  • Secret Blizzard

Additional Informations

  • Defense
  • Government
  • British Indian Ocean Territory
  • Afghanistan
  • India