Parasite hacking

From time to time you stumble across an article that, at first, looks like an ordinary APT attack from one group targeting people from another country but then hits you as “wow, that is so ingenious”.


Here is the TLDR:

Storm-0156 (Pakistani’s) use their own C2 infrastructure and are persistent in some Afghani networks. Then comes Secret Blizzard along (Russians) and they jump along the C2 of the Pakistani’s. As such they can deploy their own malware and get access to the Afghani networks. Then they also jump further to the other side of the C2 side: Not the controlled but the commander: Pakistani operator PC’s (hackers on the keyboards). Those PC’s don’t have any endpoint protection otherwise their own malware will be scooped up by virustotal.com and consequently be burnt/useless. So jumping on those unprotected operators PC’s will get them (potentially) access to all the acquired data as a result of their hacking operations. So this is a case of parasite hacking or put in a nicer way: Intelligent people are lazy people.

Snowblind: The Invisible Hand of Secret Blizzard – Lumen Blog

And when you ask ChatGPT/Dall-E to generate an article related to the original article you realize that the hoodie stereotype will never die.

PS: RITA is one of the best tools to detect C2 tooling in your network. Named after John Strands mother which coincidentally also stands for Real Intelligence Threat Analytics
GitHub – activecm/rita: Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
In case you want to respond by e-mail, use my first name then add an At sign followed by my lastname, a dot and the the most used commercial domain name extension.