Hacker organization supported by the Russian government used cybercriminals’ tools and infrastructure to target Ukraine’s military, according to new study.
Microsoft released a report on Wednesday that described a hacking campaign conducted by a group it names Secret Blizzard. Other security firms refer to this group as Turla, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously stated that it “is a known unit within Center 16” of the Russian Federal Security Service (FSB).
According to the Microsoft researchers’ report, which was leaked to media before it was published, Secret Blizzard attempted to breach “devices associated with the Ukrainian military” between March and April of this year using a botnet called Amadey, which is purportedly sold on Russian hacking forums and created by a cybercriminal organization. The company acknowledges that it is currently looking into how Secret Blizzard was able to access Amadey, but believes the hacker organization either hacked into it or used the botnet by purchasing it as malware as a service.
“Secret Blizzard has been using footholds from third parties — either by surreptitiously stealing or purchasing access — as a specific and deliberate method to establish footholds of espionage value,” according to the report, referring to the Amadey botnet as one of those third parties.
Avoiding discovery was one of the hackers’ objectives. “Using commodity tools allows the threat actor to potentially hide their origin and make attribution more difficult,” Microsoft’s director of threat intelligence strategy Sherrod DeGrippo told media.
According to the research, fraudsters typically employ the Amadey botnet to install a cryptominer. According to DeGrippo, Microsoft is certain that the hackers responsible for Secret Blizzard and Amadey are not the same.
In this campaign, Secret Blizzard targeted computers related to the Ukrainian Army and Ukrainian Border Guard, DeGrippo told media.Microsoft said these recent cyberattacks are “at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine.”
It is known that Secret Blizzard targets “ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide” with a focus on long-term espionage and intelligence collection, according to Microsoft’s report.
The purpose of the Secret Blizzard malware sample that Microsoft examined in this instance was to collect data about a victim’s machine, including the device name and whether or not antivirus software was present, in order to subsequently install other malware and tools.
Secret Blizzard installed this virus on devices to see if the targets were “of further interest,” according to Microsoft researchers. For instance, Secret Blizzard targeted devices that used SpaceX’s Starlink satellite service, which the Ukrainian military has utilized in its operations against Russian invaders.
According to DeGrippo, the business is certain that Secret Blizzard was responsible for this hacking campaign, in part because the hackers utilized unique backdoors known as Tavdig and KazuarV2, which are “never seen used by other groups.”
Microsoft and security firm Black Lotus Lab released findings this week that demonstrated how, since 2022, Secret Blizzard has used the infrastructure and capabilities of another nation-state hacking outfit for its espionage operations. According to the research conducted by the two businesses, Secret Blizzard exploited a hacking group located in Pakistan to target military and intelligence targets in Afghanistan and India. Microsoft stated at the time that Secret Blizzard had been using this tactic of exploiting the resources and infrastructure of other hackers since 2017 in incidents involving, among other things, a hacking group from Kazakhstan and hackers from the Iranian government.
Requests for response from the FSB and the Russian embassy in Washington, D.C., were not answered.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK