Joint reports from Microsoft Threat Intelligence and Black Lotus Labs disclose details of a years-long hacking campaign by the Russian FSB-linked group Secret Blizzard. Through a sophisticated multi-stage campaign, the group successfully compromised and repurposed Pakistani cyber operations infrastructure in Afghanistan and Indian networks, through a sophisticated multi-stage campaign.
The Heart of The Investigation: Hardware Hack
While tracking the activity of Pakistani state-affiliated group “Storm-0156”, Black Lotus Labs researchers discovered a C2 server designed to control a suite of deployed Hak5 commercial pen-testing devices remotely. Hak5 sells a variety of disguised penetration testing implant tools that rely on wireless or physical device access to compromise a target. Many of these tools have independent wireless antennas that allow remote C2 control via Hak5 software. Researchers observed Storm-0156’s server (with Hak5’s Commercial C2 Software Banner) with incredibly high data flow from several targets, including the Indian Ministry of Foreign Affairs office in Europe, an Indian national defense organization, and several other government bodies. This activity suggests that Storm-0156 had deployed Hak5 implants on these networks. Black Lotus Labs researchers assume that the group chose Hak5 devices because of the advantage of this attack vector: these wireless and close-access attacks bypass standard EDR/XDR protections.
The Russian Takeover
What came next was surprising: Every Storm-0156 C2 node used in this operation began communicating with 3 VPS IPs associated with the Russian FSB-linked group “Secret Blizzard” (also known as Turla). As the investigation of Storm-0156’s campaigns progressed, researchers discovered Russia’s Secret Blizzard had compromised 33 command-and-control server nodes used for their Indian and Afghanistan cyber operations campaigns.
Expansion of Operations
The Russian actors didn’t stop at simply monitoring Pakistani operations. By mid-2023, they had:
- Infiltrated Pakistani operators’ workstations
- Deployed their custom malware (“TwoDash” and “Statuezy”) into the networks of the Afghan Government Ministry and Intelligence Agencies
- Acquired control of additional hacking tools used by other threat actors, including “Waiscot” and “CrimsonRAT”
- Began retargeting Indian networks compromised by Storm-0156
Impact:
While current reports do not disclose further details on Secret Blizzard’s recent campaigns, they already highlight some key strategic implications.
Until the recent Nearest Neighbor Attack alerted the world to the reality of remote wireless attacks, cybersecurity professionals had discounted their organization’s wireless and cyber-physical vulnerabilities. Despite these attacks having many inherent advantages in avoiding EDR/XDR detection, organizations tolerated an increasing debt of wireless and cyber-physical vulnerabilities because they assumed attackers needed “Close Access” to exploit them. The events of 2024 have made clear, however, that attackers are actively leveraging an organization’s lack of wireless airspace visibility in their attack strategy. In the past 6 months, reports on Qilin group, APT-28, APT-29, and Storm-0156 have profiled their use of wireless attack vectors in cyber operations. As we see from the compromised C2 server in this attack, or APT-28’s Nearest Neighbor Attack, attackers can exploit these wireless vulnerabilities remotely.
How Bastille Can Help:
Bastille Networks’ Wireless Airspace Defense would
- Immediately identify the location and anomalous connections of any Hak5 wireless device.
- Implement continuous wireless monitoring to detect unauthorized devices and connections
- Detect and locate all other wireless implants in real-time
- Create alerts for anomalous wireless behavior that could indicate compromised infrastructure
- Maintain comprehensive wireless device inventory
Now, more than ever, the ability to detect, locate, and raise alerts on unauthorized wireless devices and connections is a critical security requirement as adversaries increasingly leverage wireless attack methods to bypass traditional defenses.