Microsoft: Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage
-
Microsoft: Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage
Microsoft assesses that the Russian nation-state actor they track as "Secret Blizzard" (aka Turla publicly attributed to FSB Center 16 by the U.S. Government) has used the tools and infrastructure of at least six other threat actors during the past seven years. They also have actively targeted infrastructure where other threat actors have staged exfiltrated data from victims with the intention of collecting this data for their own espionage program. Microsoft assesses that Secret Blizzard's use of other actors' infrastructure and tools, both state-sponsored and cybercriminal, is exclusively for facilitating espionage operations.This is the first of a two-part blog series, and Microsoft spends this one discussing how Secret Blizzard used the infrastructure of the Pakistan-based threat activity cluster Storm-0156 (aka SideCopy, Transparent Tribe and APT36) to install backdoors and collect intelligence on targets of interest in South Asia. Together with Black Lotus Labs, they confirmed that Secret Blizzard C2 infrastructure emanated from Storm-0156 infrastructure, including infrastructure used by Storm-0156 to collate exfiltrated data from campaigns in Afghanistan and India. Microsoft describes compromise and post-compromise activities, other attackers' backdoors used, and victimology. Indicators of compromise and hunting queries shared.
#russia #turla #snake #waterbug #venomousbear #cyberespionage #fsb #IOC #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI
