The war between Russia and Ukraine continues and Starlink satellites play a fundamental role. Thanks to SpaceX satellite internet, Ukrainians can stay connected despite attacks. However, Russian hackers are managing to hack Starlink-connected devices.
Microsoft has discovered that Russian hacking groups, known for using Trojan packages such as Turla, Waterbug, Snake and Venomous Bear, are resorting to unusual practices to access their adversaries’ information. In order to learn about the movements of Ukrainians, Russian soldiers have taken over the infrastructure of other threat actors. They have used this to infect the devices used by the Ukrainian military on the front.
On at least two occasions (March and April 2024), they have used servers and malware from other threat groups for cyberattacks against Ukrainian frontline forces. For example, one of the groups (which Microsoft has dubbed Secret Blizzard) once took advantage of the infrastructure of cybercriminals called Stom-1919. Specifically, they used the Amadey computer virus, which is very effective at accessing devices specifically associated with the Ukrainian military.
Microsoft has also found evidence that Secret Blizzard used another threat actor (Strom-1837) in January 2024. In this case, it served to attack Ukrainian military drones, by downloading the Tavdig and KazuarV2 backdoors into a target device in Ukraine. Microsoft researchers do not know how this Russian hacking group gained access to cybercriminal infrastructure. However, the discoveries indicate that the Russians are resorting to unusual routes to track devices connected to Starlink during their invasion of Ukraine.
Microsoft Threat Intelligence
@MsftSecIntel
After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, Russian nation-state actor Secret Blizzard used those resources to compromise targets in Ukraine. https://t.co/DUgssiyOkI
December 11, 2024 • 18:02
109
3
Behind the Hacker Group Secret Blizzard
The Russian hacker group Secret Blizzard has become well known during the war between Russia and Ukraine for attacking various Ukrainian sectors. These include attacks on foreign ministries, embassies, government offices, defense departments and defense-related companies around the world.
According to Microsoft, the group focuses “on gaining long-term access to systems for intelligence gathering.” Frequently, they manage to search for advanced and politically important information. They usually do this with Trojans like Turla, Waterbug, Venomous Bear, Snake, Turla Team, and Turla APT Group. But now they are turning to other resources.
Microsoft is tracking the methods used by Secret Blizzart. As it detects attacks or compromised devices, it notifies customers. In this way, they can protect themselves. But Secret Blizzard’s unusual activity is difficult to predict and, therefore, they have shared some findings made throughout this year, to raise awareness about new techniques and for organizations to strengthen their systems.
Ukrainian military personnel targeted by Russian hackers
Microsoft Threat Intelligence is evaluating “Secret Blizzard’s pursuit of footholds provided to or stolen from other threat actors.” According to the researchers, they prioritize hacking infrastructures to access “military devices in Ukraine,” which operate with a connection to Starlink.
In the cases detected in March and April, in which Strom-1919’s Amadey bot was used, it is usually used in attacks by the XMRIG cryptocurrency app on specific servers, in cryptojacking campaigns. Cybercriminals use this malware to extract digital currencies from victims. However, Secret Blizzar gave Amadey another use, to download a PowerShell dropper on the target Ukrainian devices. In the dropper, there was “a Base64-encoded Amadey payload with accompanying code that invoked a request to Secret Blizzard’s C2 infrastructure.”
The final objective of the Russian hackers was to install the Tavdig malware, which was used to perform reconnaissance tasks on targets of interest. In this way, Secret Blizzard collected information from devices’ clipboards and extracted passwords from browsers. The tool was capable of detecting the devices that hackers were most interested in, such as those coming from Starlink IP addresses.
That the hacking group focused on this satellite Internet is because it is the most common for use on frontline military devices in Ukraine. Only when Secret Blizzard detected that the detected device was a high-value target, did they install Tavdig to collect user information, netstat, installed patches… In addition to focusing on Ukrainian military devices, Microsoft is also investigating the possibility that they may have tried to access information from ministries of the enemy country.
