Russian APT Secret Blizzard Piggybacks on Other Groups' Infrastructure

Microsoft has uncovered activity by the notorious Secret Blizzard Russian APT that shows the group has been targeting the infrastructure and tools of as many as six other APT groups in the last few years. 

Secret Blizzard is a threat group that focuses its efforts on cyber espionage operations and is attributed to the Russian FSB secret service. The group overlaps with the Turla APT and has been active for many years. Microsoft’s new research shows that the group has actively targeted the infrastructure and tools of other state-backed APTs, including the Pakistani actor known as Transparent Tribe, and used their position to attack government officials and other victims in south Asian countries. 

Why It Matters: Secret Blizzard is a top-tier APT group that has a long history of compromising high-value targets such as telecom infrastructure, government agencies, and others, and maintaining long-term access for intelligence collection. The group has its own wide range of tools and infrastructure, but it has consistently taken advantage of other groups’ established positions, C2 servers, and tool caches. This activity shows that Secret Blizzard will use whatever means are at its disposal to achieve its objectives. It’s not unheard of for APTs to appropriate resources from each other, but it’s relatively uncommon. 

Key Details

• Secret Blizzard has compromised the C2 infrastructure of Transparent Tribe for more than two years and has used that group’s previously deployed backdoors to install its own backdoors on target machines. 

• The group typically installs its own tool, known as Arsenal, on the compromised VPS C2 server. “Arsenal is an executable built on top of the cross-platform application development framework QtFramework, indicating it may also be deployed on operating systems other than Windows. Upon execution, Arsenal listens over a hardcoded port for incoming requests from controlled devices. Once connected, the tool enables threat actors to upload or download files to or from the device on which it is deployed,” Microsoft said.

• Secret Blizzard also has deployed a version of the well-known TinyTurla backdoor in some cases

• Secret Blizzard has taken over some of Transparent Tribe’s own deployments of CrimsonRAT, a remote access tool with an array of capabilities. “In August 2024, Microsoft observed Secret Blizzard using a CrimsonRAT compromise that Storm-0156 had established in March 2024. Secret Blizzard is assessed to have commandeered the CrimsonRAT backdoor to download and execute Secret Blizzard’s TwoDash backdoor. Additionally, Microsoft observed instances of Secret Blizzard accessing Storm-0156’s CrimsonRAT on target devices in India,” Microsoft said.

As part of this activity, Secret Blizzard has targeted victims in Afghanistan and India, specifically going after government and defense targets in those countries. 

“The frequency of Secret Blizzard’s operations to co-opt or commandeer the infrastructure or tools of other threat actors suggests that this is an intentional component of Secret Blizzard’s tactics and techniques,” Microsoft said.

“Leveraging this type of resource has both advantages and drawbacks. Taking advantage of the campaigns of others allows Secret Blizzard to establish footholds on networks of interest with relatively minimal effort. However, because these initial footholds are established on another threat actor’s targets of interest, the information obtained through this technique may not align entirely with Secret Blizzard’s collection priorities.”