Lumen’s Black Lotus Labs has uncovered a sophisticated espionage campaign orchestrated by the Russian-based threat actor the researchers track as “Secret Blizzard,” also known as Turla. The group, linked to the Russian Federal Security Service (FSB), has infiltrated the command-and-control (C2) infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
According to Black Lotus Labs, Secret Blizzard successfully breached 33 C2 nodes operated by Storm-0156, a group publicly associated with the espionage-focused clusters SideCopy and Transparent Tribe. The campaign, spanning two years, is the fourth recorded instance of Secret Blizzard infiltrating another threat actor’s operations.
The operation began in December 2022, when Secret Blizzard gained initial access to a Storm-0156 C2 server. By mid-2023, the group had expanded its control, leveraging the infrastructure to deploy its malware, TwoDash and Statuezy, against networks linked to Afghan government entities. By April 2023, the Russian group had infiltrated workstations of Pakistani-based Storm-0156 operators, obtaining sensitive data, including credentials, tooling insights, and exfiltrated information from prior operations.
By mid-2024, Secret Blizzard further escalated its campaign, repurposing two additional malware families, Waiscot and CrimsonRAT. The latter, previously deployed against Indian government and military targets, was used to extract data from prior campaigns conducted by Storm-0156.
Black Lotus Labs, in collaboration with Microsoft threat hunters, observed Turla's interactions with a subset of CrimsonRAT C2 nodes. Interestingly, Turla engaged with only seven out of the available nodes.
“This selective engagement implies that, while they had the capability to access all nodes, their tool deployment was strategically limited to those associated with the highest priority targets in India,” Black Lotus Labs said.
Microsoft’s separate analysis reveals how Turla has systematically infiltrated the infrastructure of at least six state-sponsored and criminal hacking groups since 2017. These include Iranian (Hazel Sandstorm), Kazakhstani (Storm-0473), and other unnamed actors.