Russian APT Targets Storm-0156 Server For Attack Campaigns
As per recent reports, a Russian-linked Advanced Persistent Threat (APT) group has been observed in an attack campaign that was previously undocumented. Turla, the Russian-APT, has launched an attack campaign centered around infiltrating the command-and-control (C2) server belonging to a Pakistani-based hacking group, Strom-0156.
In this article, we’ll look at the threat actor attack tactics, tools and technologies, and more. Let’s begin!
Russian APT Attacks: Overview
The long-standing malicious activities of the Russian APT were initially identified by Lumen’s Black Lotus Labs. It’s worth noting that the APT goes by the name “Secret Blizzard” or “Turla.” The cybersecurity research organization monitored a diverse array of state-backed threat actors exploiting the C2 servers of other hacking groups for their own initiatives.
Working with such a strategy allows the APT group to acquire sensitive files without the use of exfiltration from compromised networks, exposure of their own tools, or delayed attribution. Commenting on such an attack scenario, experts have stated that:
“In scenarios where the other threat actors have not acquired all the data of interest on their targets, they can search the data collected on C2 nodes for stolen authentication materials to gain access or use existing access to expand collection and deploy their agents into a network. By doing so, Secret Blizzard essentially takes advantage of the foothold created by the original threat actor.”
Although the technique of data collection used by the Russian APT offers unique benefits, a threat actor would be limited to gathering data or accessing only those networks that are controlled by the C2 node. According to the cyber threat research organization:
“Secret Blizzard continued to exploit trust relations by moving from an actor’s C2 nodes into the operator’s workstations. We believe that nation-state and cybercriminal endpoints and malware are especially vulnerable to exploitation since they are unable to use modern security stacks for monitoring access and protecting against exploitation.”
It’s pointing out that when threat actors have installed the security protocols, their exploits and tools have been exposed. It’s currently believed that hackers like the APT are actively deleting the log data in an attempt to compound exposure.
Storm-0156 Servers And Secret Blizzard Attack Tactics
As far as the details of the attacks are concerned, it’s believed that the Russian APT manipulated its trust with Storm-0156. Such an initiative allowed them to move into Pakistani computer network operators’ workstations where they could pilfer data from those nodes. In addition, this tactic was also used to include Waiscot and CrimsonRAT.
The Russian APT later used these malware to interact with Indian-based networks. It’s worth noting that this threat actor. It’s worth noting that this threat actor uses a diverse array of open-source tools including AllaKore and custom remote access trojan. As for Storm-0156, the threat actors have adapted their tools for various operating systems.
However, no change has been observed in the tactics, techniques, and procedures (TTPs). It’s worth mentioning here that Storm-0156 is primarily involved in targeting regional governmental organizations and has a key focus on both India and Afghanistan. Some of the key entities that the group has targeted stem from various sectors including:
- Government.
- Technology.
- Industrial control systems.
- Power generation and distribution.
Providing insights about the Russian APT gaining access to the Pakistani Storm-0156’s C2 servers, experts have stated that:
“While monitoring the Storm-0156 campaigns, we uncovered 11 C2 nodes that were active from December 2022 through mid-2023. Black Lotus Labs observed malware samples or public reporting corresponding for 8 of the 11 nodes. Closer analysis revealed that these 11 all communicated with three newly identified VPS IP addresses.”
One of the most striking aspects of the VPSs was the fact that they had been lasered through a provider that had previously not been seen in Storm-0156 campaigns. The MSTIC also confirmed that the three nodes were, in fact, associated with the Russian APT group, Secret Blizzard. From the December 2022 to August 2023, the Russian APT used the following IP addresses:
- 146.70.158[.]90
- 162.213.195[.]129
- 146.70.81[.]81
Commenting on the Russian APT group’s use of these three nodes experts have stated that:
“Although we cannot be certain how Secret Blizzard identified the remaining three nodes that did not correspond to public malware samples or reporting, we suspect they could have used a method of Remote Desktop Protocol (RDP) pivoting outlined here by Team Cymru.”
Provided below is a list of IP addresses belonging to Strom-0156 and their time duration of interaction with the Russian APT:
Dates | IP Address |
Dec 11, 2022 – Oct 7, 2024 | 154.53.42[.]194 |
Dec 12, 2022 – July 9, 2023 | 66.219.22[.]252 |
Dec 27, 2022 – Aug 9, 2023 | 66.219.22[.]102 |
Dec 28, 2022 – Mar 2, 2023 | 144.126.152[.]205 |
Jan 31 – Mar 14, 2023 | 185.229.119[.]60 |
Feb 22 – Aug 21, 2023 | 164.68.108[.]153 |
Feb 27 – Mar 22, 2023 | 209.126.6[.]227 |
April 30 – July 4, 2023 | 209.126.81[.]42 |
May 5 – Aug 22, 2023 | 209.126.7[.]8 |
April 12 – Aug 23, 2023 | 154.38.160[.]218 |
June 23 – Aug 21, 2023 | 144.126.154[.]84 |
Malicious Tools Deployed Into Afghan Government Networks
Apart from the IP addresses, experts have mentioned that while monitoring the interaction between the Russian APT group and Storm-0156 nodes, activity from Afghan government networks was also identified. Given the prevalence of the activity, experts have noted that the Russian APT group likely used access to the C2 servers for the deployment of the Two-Dash malware.
The communication pertaining to the attack sequence was observed from several IP addresses that were based in Afghanistan. Based on the duration and volume of data transferred, it can be concluded that the Afghan IP addresses showed beaconing activity just for a week. This implies that the threat actor deliberately chooses not to maintain long-term access. The three addresses that appeared to be of greater interest, however, included:
- 146.70.158[.]90 – observed to be interacting with six IP addresses and was active from January 23, 2023, to September 4, 2023.
- 162.213.195[.]129 – used for communicating with five IP addresses and was active from December 29, 2022, to September 4, 2023.
- 167.88.183[.]238 – mainly used for transmission to only one IP address that took place on April 17, 2023.
In addition, it was also identified that from May to October 2024, persistent connections from Afghan government networks remained the same. However, a notable difference was that the C2 had rotated from aligning with Storm-0156 infections to 143.198.73[.]108.
It’s worth noting that the most significant activity that was identified was the use of the Two-Dash malware. This was evident not only from the Storm-0156 C2 nodes located in Afghanistan but also from a dynamic IP address that originated from Pakistan. Providing insights pertaining to the use of the C2 panel, experts have stated that:
“We suspect they leveraged access to the Storm-0156 C2 panel, then abused a trust relationship to move laterally into the Storm-0156 operator’s workstation. This achievement could have enabled them to access additional networks previously compromised by Storm-0156, which includes other middle eastern governmental entities.”
As of now, the use of a downstream movement initiated to compromise the targeted victims or the use of existing agents established by Storm-0156 remains unclear.
Conclusion
The attack campaign by the Russian APT group, Secret Blizzard, highlights the sophistication of modern cyber-espionage tactics. By exploiting trust and leveraging access to Storm-0156’s C2 servers, the group demonstrated a strategic approach to infiltrating sensitive networks. With tools like Two-Dash malware and targeted lateral movements, their operations underscore the need for enhanced cybersecurity measures to protect against nation-state-backed threats and the vulnerabilities posed by inter-group trust exploitation.
The sources for this piece include articles in The Hacker News and Lumen.
