Danny Adamitis

Sheep Dipped: Blizzards on the Side

What started out as a routine investigation into malicious activity against a power generation company led to a multi-year long investigation. The initial victim’s server led us to uncovering an entire network of computer network operations associated with a Pakistani-based actor; ranging from remotely deployed RATs to the existence of a close access team. Lumen’s telemetry identified this close access team which used Hak5 servers communicating with sensitive government networks, on two different continents.

Through the monitoring of this network, Black Lotus Labs uncovered one of the most elusive threat actors in the world, Secret Blizzard, a.k.a. Turla. This group rose to notoriety with their unique tradecraft, to compromise and repurpose other groups’ command and control servers, exfiltrate data, and deploy their own tool sets. This case study denotes the 4th ever documented case of Turla hacking another actor’s C2 nodes. However this is the first documented case of Turla transitioning from the C2s into the operator’s workstation. What will be presented are the activities that led to our first exposure, and new information that has come to light since then. I will discuss how I uncovered all this, as well as their targeting over the past two years and into the present.

Danny is a cybersecurity leader with over a decade of success discovering, tracking, and performing coordinated disruption activities against apex nation-state computer network operations. He has published over 30 research papers in total, 20 while employed at Lumen. Danny predominately focuses on emerging threats to telecommunications related technologies, such as routers, firewalls, and DNS infrastructure. These efforts have culminated in ‘court authorized disruption’ efforts. His research is has been cited by both the US media as informative, and by the Chinese Ministry of Foreign Affairs as “disinformation”.