For Russian spies, existing cybercrime tools become avenues into Ukrainian military devices

Avatar

Kremlin-backed hackers have turned to an unconventional tactic to target Ukraine’s military, researchers have found. In a recent campaign, the group known as Secret Blizzard hijacked tools and infrastructure from Russian cybercriminals, repurposing them for espionage.

The likely aim of this approach is to diversify the group’s attack vectors, according to a new report by Microsoft. Other researchers have previously noted that this tactic also complicates attribution, allowing the group to shift blame to other threat actors if their malicious actions are uncovered.

Secret Blizzard, also tracked as Turla, has tried the strategy elsewhere before using it in Ukraine. Researchers have identified at least four instances where the group appeared to embed itself in another threat actor’s operations. Earlier in December, Microsoft detailed Secret Blizzard’s attacks on government-related targets in India and Afghanistan, conducted through the infrastructure used by the Pakistan-based cyber-espionage group.

In a report published Wednesday, Microsoft said it discovered two campaigns in which Secret Blizzard used the infrastructure of fellow threat actors to deploy custom malware on devices associated with the Ukrainian military.

Between March and April of this year, Secret Blizzard appropriated a tool called Amadey, which is associated with the cybercrime group Storm-1919, known for deploying cryptocurrency miners.

In this campaign, the Russian state-backed cyberspies used Amadey to gather information about the victim system, check for installed antivirus software, and later deploy the Tavdig backdoor to conduct further surveillance.

As part of this operation, Secret Blizzard targeted some of Ukraine’s military devices that communicate or transmit data over the internet using Starlink’s satellite-based internet service, according to the report.

Microsoft said that Secret Blizzard either used the Amadey malware as a service or covertly accessed its infrastructure. The tool is sold for about $500 on Russian-speaking hacking forums.

In the second campaign, in January, Secret Blizzard used the backdoor of Storm-1837, another Russia-based threat actor that previously targeted Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors onto a target device in Ukraine. KazuarV2 is designed for long-term intelligence collection and data exfiltration.

Storm-1837 uses a range of backdoors, including Cookbox, as well as an Android backdoor impersonating a legitimate system used for AI processing, called Griselda.

It is not clear how successful these two campaigns were or what kind of data — if any — Secret Blizzard managed to obtain. The group, previously linked to Russia’s Federal Security Service (FSB), is known for stealing politically significant information, particularly advanced research.

Secret Blizzard has a history of targeting ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. During its operations, it collects and exfiltrates sensitive materials, including documents, PDFs and email content.

CybercrimeMalwareNewsNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online

Next Post

Cleo urges customers to ‘immediately’ apply new patch as researchers discover new malware

Related Posts

New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools

A newly devised technique leverages a Windows accessibility framework called UI Automation (UIA) to perform a wide range of malicious activities without tipping off endpoint detection and response (EDR) solutions. "To exploit this technique, a user must be convinced to run a program that uses UI Automation," Akamai security researcher Tomer Peled said in a report shared with The Hacker News. "
Avatar
Read More