Snowblind – The Invisible Hand of Secret Blizzard

Secret Blizzard compromised command-and-control (C2) infrastructure used by Storm-0156, a Pakistani-based threat actor, to gain access to their targets’ networks and data. They leveraged Storm-0156’s existing access to deploy their own malware, “TwoDash” and “Statuezy,” into Afghan government networks. They also potentially acquired Storm-0156’s tools, C2 and target network credentials, and exfiltrated data from previous operations.

Subject: Snowblind – The Invisible Hand of Secret Blizzard

Tactics: TA0042 Resource Development

Technique: T1584 Compromise Infrastructure, T1584.001 Compromise Infrastructure: Domains

Procedure:

Secret Blizzard compromised command-and-control (C2) infrastructure used by Storm-0156, a Pakistani-based threat actor, to gain access to their targets’ networks and data. They leveraged Storm-0156’s existing access to deploy their own malware, “TwoDash” and “Statuezy,” into Afghan government networks. They also potentially acquired Storm-0156’s tools, C2 and target network credentials, and exfiltrated data from previous operations.

Vulnerability: EAV0015 When adversaries exploit a trusted relationship, they are vulnerable to collecting and acting on manipulated data provided by the trusted party.

Engagement Opportunity:

Monitor network traffic for unusual activity originating from or directed towards known compromised C2 infrastructure. This could involve setting up honeypots mimicking vulnerable C2 infrastructure to attract and engage with threat actors like Secret Blizzard.

Threat Actor: Secret Blizzard (also known as Turla), a Russian-based threat actor.

Threat Objective:

Espionage and data exfiltration, primarily targeting government entities in Afghanistan and India.

Deception Opportunity:

Deploy decoy C2 servers with fabricated data to deceive Secret Blizzard and gather intelligence on their tools, techniques, and procedures. This could also involve planting false information to mislead them about their targets’ activities.

Sensor Data Placement: Kernel-Mode

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

Observing connections between known C2 infrastructure and other IP addresses is specific to the implementation of the “Compromise Accounts” sub-technique used by Secret Blizzard in this campaign. However, not all instances of this sub-technique will involve compromising C2 infrastructure.

Link to Report: https://docs.google.com/document/d/1lU3Z4QK58UuiW7baKX3focG86qiQ02HRTYrHlTDNXjI/edit?usp=drive_web

Link to Report II.:

Additional Comments:

Secret Blizzard’s campaign highlights the risk of threat actors compromising and leveraging each other’s infrastructure. This underscores the importance of network monitoring and segmentation to detect and mitigate such threats.

Possible elements: C2 Honeyclients, Deception-as-a-Service (DaaS) Platform

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Secret Blizzard Attack Graph

: Resource Development - Compromise Infrastructure - Compromise Accounts: Gain access to Storm-0156 C2 servers and operator workstations (Core to Some Implementations of (Sub-)Technique) [1]
: Initial Access - Valid Accounts (T1078) - Use compromised Storm-0156 credentials to access Afghan government networks (Core to Pre-Existing Tool)
: Persistence - External Remote Services (T1133) - Maintain persistent access to Afghan government networks using compromised C2 infrastructure (Core to Adversary-Brought Tool)
: Command and Control - Application Layer Protocol (T1071) - Use malware "TwoDash" and "Statuezy" to communicate with compromised C2 servers (Core to Adversary-Brought Tool)
: Collection - Data from Local System (T1005) - Exfiltrate data from Afghan government networks (Core to Sub-Technique or Technique)

1 --> 2 (Lack of Network Segmentation)
2 --> 3 (Lack of System Monitoring)
3 --> 4 (Lack of Network Monitoring)
4 --> 5 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Secret Blizzard Pseudocode

function Resource_Development_Compromise_Infrastructure(target_C2):
# Identify and exploit vulnerabilities in target_C2
# Gain access to C2 servers and operator workstations
return compromised_C2_access

function Initial_Access_Valid_Accounts(compromised_C2_access):
# Use compromised credentials to access target networks
return network_access

function Persistence_External_Remote_Services(network_access):
# Establish persistent connection using compromised C2 infrastructure
return persistent_access

function Command_and_Control_Application_Layer_Protocol(persistent_access):
# Deploy malware "TwoDash" and "Statuezy"
# Establish communication channel with C2 servers
return C2_communication

function Collection_Data_from_Local_System(C2_communication):
# Collect data from compromised networks
# Exfiltrate data over C2 channel
return exfiltrated_data

Leave a Reply