A hacking group linked to Russia's Federal Security Service (FSB) has been stealthily relying on the tools and infrastructure of at least six other threat actors for the past seven years, Microsoft Threat Intelligence (MTI) reports. The hackers have been sneaking into the systems of other cybercriminals to attack targets in Afghanistan and India.
A Moscow-aligned threat actor, known as Turla, Waterbug, Venomous Bear, and Snake and labeled by Microsoft as Secret Blizzard, has developed one of the most sophisticated cyber espionage tools for long-term intelligence collection on sensitive targets.
However, it has been caught hijacking and using the tools and infrastructure of other cybercriminals.
Secret Blizzard hacked into the infrastructure of the Pakistan-based threat actor tracked as Storm-0156 for espionage purposes on targets of interest in South Asia.
“We confirmed that Secret Blizzard is deploying backdoors and clipboard monitors to Storm-0156 infrastructure and using this position to commandeer Storm-0156 backdoors to download Secret Blizzard espionage tools onto victim devices,” Microsoft researchers said.
Based on our findings and those reported by governments and other security vendors, Microsoft Threat Intelligence assesses the Russian nation-state actor we track as Secret Blizzard has used the tools and infrastructure of at least 6 other threat actors during the past 7 years.
undefined Microsoft Threat Intelligence (@MsftSecIntel) December 4, 2024
This has allowed Secret Blizzard to gain access to the Afghan Ministry of Foreign Affairs, intelligence agencies, and other government devices, as well as defense and military-related institutions in India.
The Russian threat actor frequently uses co-opted or commandeered infrastructure, suggesting that it is an intentional component of its tactics.
This way, it can establish a foothold on targeted networks with relatively minimal effort and obscure its involvement. However, the information obtained through this technique may not align entirely with Secret Blizzard’s collection priorities. There’s also a risk that piggybacking on infrastructure with poor operational security can expose Secret Blizzard’s activity.
MTI observed the hackers hijacking control and command servers and accessing Storm-0156’s CrimsonRAT backdoor to collect intelligence from their victims. Secret Blizzard also deployed its own implants on the victims' devices.
Leveraging other adversaries for access is not unique. However, MIT believes that it is “somewhat unusual” for an FSB-linked group.
“Secret Blizzard’s use of this technique highlights its approach to diversifying attack vectors,” Microsoft researchers said.
This is not the first time Russian state hackers have been found riding on other’s shoulders. Cozy Bear, another Russia-linked threat actor, had been using cyberweapons developed by commercial surveillance companies such as NSO Group and Intelexa.
Your email address will not be published. Required fields are markedmarked