Russian state hackers hijacked rival servers to spy on targets in India, Afghanistan

Russian state-sponsored hackers exploited the servers of Pakistani threat actors to target organizations in South Asia, according to a new report.

In a campaign that began two years ago, the Moscow-backed hacker group Secret Blizzard, also known as Turla, infiltrated infrastructure used by the Pakistan-based cyber-espionage group Storm-0156 to spy on victims of political interest to the Kremlin.

The targeted organizations included government and intelligence agencies in Afghanistan, as well as military and defense-related institutions in India, researchers from Microsoft and Lumen Technologies’ threat intelligence arm, Black Lotus Labs, revealed in a report published on Wednesday.

It remains unclear how Secret Blizzard initially gained access to Storm-0156’s infrastructure or whether the Pakistani hackers were aware of the intrusion and allowed the attacks to be launched from their servers.

For Secret Blizzard, this strategy is not new. Since 2017, researchers have identified at least four instances where the group embedded itself in another threat actor’s operations. The group previously infiltrated the infrastructure of the Iranian state hacker group OilRig and a Kazakhstan-based threat actor.

Researchers explained that this tactic provides several advantages: it allows the hackers to remotely access sensitive files that were previously stolen from compromised networks by other groups, all without using their own tools; it gives hackers further access to victims’ networks, enabling them to gather more data and deploy their own malware; and it also makes attribution more difficult as the group can shift blame to other threat actors if their malicious actions are discovered.

Secret Blizzard gained access to the infrastructure of Pakistani hackers in 2022. In the attacks on the Afghan government, the Russian hackers used pre-existing access obtained by Storm-0156 to deploy their own malware, including TwoDash and Statuezy. In India, Secret Blizzard avoided deploying their own malware and instead targeted local institutions with Waiscot and CrimsonRAT, tools they appropriated from the Pakistani hackers.

The results of these campaigns, as well as the data obtained or its strategic value to the Kremlin, have not been disclosed.

Secret Blizzard, previously linked to Russia’s Federal Security Service (FSB), is known for stealing politically significant information, particularly advanced research that might influence international political issues.

The group has a history of targeting ministries of foreign affairs, embassies, government offices, defense departments and defense-related companies worldwide. During its operations, it collects and exfiltrates sensitive materials, including documents, PDFs and email content.

The infiltration of Storm-0156’s infrastructure not only enabled Russian hackers to launch attacks on their targets of interest with less effort but also allowed them to gain insights into Storm-0156’s tools, credentials and data exfiltrated from prior operations, researchers said. 

Storm-0156 is believed to be a nation-state actor operating out of Pakistan, primarily targeting regional government organizations in Afghanistan and India. Their focus includes entities in government, technology and industrial control systems, such as power generation and distribution. However, their relationship with Secret Blizzard remains unclear.

Researchers believe that Moscow’s hackers will likely continue using this approach, “especially as Western nations, including the U.S. and European allies, continue to uncover and condemn Russian activities in cyberspace,” according to Black Lotus Labs.