A Russian state-backed hacker group used tools and infrastructure developed by cybercriminals to target the Ukrainian military, according to a new investigation.
On Wednesday, Microsoft released a report detailing a hacking campaign carried out by a group the company calls Secret Blizzard. The group previously stated that the US Cybersecurity and Infrastructure Security Agency (CISA) is “almost certainly subordinate to Russia's Federal Security Service (FSB) Center.” ”, which other security companies call Turla.
In a report shared with TechCrunch ahead of publication, Microsoft researchers say Secret Blizzard was sold on Russian hacking forums to attempt to infiltrate “devices associated with organizations in Ukraine” and cyberattacks. It said it used a botnet known as Amadey, which is said to have been developed by a criminal group. “Military” from March to April of this year. While the company acknowledges that it is still investigating how Secret Blizzard gained access to Amadey, the company does not know whether the hacking group used a botnet it paid for as malware-as-a-service or hacked it. I think it's either.
According to the report, “Secret Blizzard leverages footholds from third parties by covertly stealing or purchasing access as a specific and intentional method to establish footholds of espionage value. The Amadey botnet is also mentioned as one such third party.
One of the hackers' goals was to evade detection. Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told TechCrunch: “By using commodity tools, threat actors can potentially hide their origins and make it more difficult to identify.” Ta.
Contact Us Do you have more information about Russian hackers targeting Ukraine? Or is it some other type of cyber espionage? Contact us from your non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or electronically You can contact Lorenzo Franceschi-Bicchierai securely by email. You can also contact TechCrunch via SecureDrop.
According to the report, the Amadey botnet is typically used by cybercriminals to install cryptominers. DeGrippo said Microsoft is confident that the hackers behind Amadey and Secret Blizzard are different people.
In this campaign, Secret Blizzard targeted computers associated with the Ukrainian military and the Ukrainian Border Guard, DeGrippo told TechCrunch. Microsoft said these recent cyberattacks are “at least the second time since 2022 that Secret Blizzard has used a cybercriminal campaign to establish a foothold for its malware in Ukraine.”
According to Microsoft's report, Secret Blizzard focuses on long-term espionage and intelligence gathering and is known to target “foreign ministries, embassies, government offices, ministries of defense, and defense companies around the world.” It is being
In this case, the Secret Blizzard malware sample analyzed by Microsoft attempts to collect information about the victim's system, such as the device name and installed antivirus software, as a first step to deploying other malware and tools. It was designed to.
According to Microsoft researchers, Secret Blizzard deployed this malware to devices to determine if the target was “more interesting.” For example, Secret Blizzard targeted devices that use Starlink, SpaceX's satellite service, which the Ukrainian military uses in combat operations against invading Russian forces.
DeGrippo said the company believes the hacking campaign was carried out by Secret Blizzard, in part because the hackers used a custom backdoor called Tavdig and KazuarV2 that “we haven't seen used by other groups.” He said he is doing so.
Last week, Microsoft and security firm Black Lotus Labs released a report showing how Secret Blizzard has been using the tools and infrastructure of another nation-state hacker group for espionage since 2022. In this incident, Secret Blizzard took advantage of a Pakistan-based hacking group to target military and intelligence targets in Afghanistan and India, according to the companies' investigations. At the time, Microsoft noted that Secret Blizzard had used this technique, which leverages the tools and infrastructure of other hackers, in incidents involving Iranian government hackers and a Kazakh hacker group since 2017.
The Russian Embassy in Washington DC and the FSB did not respond to requests for comment.