2025-08-06 –, Florentine E
The Black Lotus Labs team at Lumen Technologies documented a 3 year campaign by one of the more elusive threat actors in the world, Secret Blizzard (aka Turla). Here they discovered and broke into Pakistani ISI C2s that were part of an espionage campaign against Indian, Syrian and Afghan governments. Turla is infamous for repurposing the infrastructure of other threat actors, while exfiltrating data and deploying their own tool sets. This was the 4rd documented case of Turla hacking another actors C2 nodes, but it is the first case of their moving past the C2 servers and into operators workstations.
We'll talk about the Sidecopy threat actor, their tradecraft, and how they appeared on our radar. We'll show one of the rare cases where we observed Sidecopy deploy Hak5 equipment in real world operations and how we tied this back to known infrastructure.
A rogue C2 node allowed us to map out Turla's efforts. We'll talk about networks where Turla had access to C2s, but choose not to deploy their agents. Lastly we'll talk about how their activities have shifted due to public disclosure and where they have been operating for the last several months.
This talk came from research that took place over the course of a year, but the overall scope of activity had been going on for roughly 3 years. We originally got on the trail of a ReverseRAT sample and developed analytics that allowed us to enumerate the C2s being used by Sidecopy. Soon we found some interesting aspects that led us down the rabbit hole. The first of which was the Hak5 device that communicated with those Pakistani C2s from inside an Indian Embassy in Europe. This was our first sign of something very interesting, as we don't see that every day. We'll talk about how that was identified and of course we can speculate on how a physical device got in there, but as interesting as it is, that's a story we can only guess at. In this case, they were clearly going after some of their more strategic objectives, breaking into the Indian government and those of their neighbors in Afghanistan, while keeping tabs on the government in Syria during the conflict there.
Where things got even more interesting is how pivoting off those original ISI C2s, led us to Turla.
Given the international climate over the last few years, Turla was of special interest to us. Turla is infamous for using old-school spycraft to camouflage their activities by working through other's infrastructure and appearing to be anything other than what they are. While we can expect them to stay true to their core techniques in the future, our reporting has changed some of their activities and we'll include that in the talk.
The talk will chart the connections of the ISI into their targets, as well as those of Turla into the ISI and downstream in each direction. We'll be using slides to show the scope of activity, and to describe the tradecraft and tools used by both parties. We'll also go over some of the indicators that defenders can use to help identify tendencies that reveal these threat actors.
And of course, we'll have some memes along the way. Probably some dogs in there for good measure.
Danny Adamitis is a Distinguished Engineer at Black Lotus Labs, the threat research team at Lumen Technologies. Danny has tracked nation-state adversaries and cybercriminals using both open-source and proprietary datasets in various roles for several years. More recently he has focused on threats to ISPs, including campaigns in which actors targeted networking equipment, Linux servers, and DNS infrastructure. Prior to joining Lumen Technologies, Daniel worked at Cisco Talos. Danny has a bachelor’s degree in Diplomacy and International Relations from Seton Hall University.