Microsoft’s threat intelligence team has uncovered new activities by Secret Blizzard (also known as Turla), a Russian state-sponsored hacking group, targeting Ukrainian military systems between March and April 2024. The group has been observed utilizing Amadey bot malware to deploy the sophisticated Kazuar backdoor.
Key Developments:
– Secret Blizzard commandeered Amadey malware infrastructure to infiltrate specifically selected Ukrainian military targets
– The group deployed a multi-stage attack sequence involving Tavdig backdoor and an updated version of Kazuar
– This marks their second documented instance since 2022 of piggy-backing on existing cybercrime campaigns
Attack Methodology:
1. Initial access through compromised Amadey bot infrastructure
2. Deployment of PowerShell dropper with encoded payload
3. Implementation of reconnaissance tools
4. Installation of Tavdig backdoor using DLL side-loading techniques
5. Final deployment of KazuarV2
The group has also been observed:
– Hijacking 33 command-and-control servers from a Pakistani hacking group
– Repurposing tools from Flying Yeti (Storm-1837)
– Utilizing various attack methods including adversary-in-the-middle campaigns and strategic web compromises
Primary Targets:
– Foreign affairs ministries
– Embassies
– Government offices
– Defense departments
– Military-related organizations
This sophisticated approach demonstrates Secret Blizzard’s evolving tactics to maintain covert access while complicating attribution efforts. Microsoft continues to investigate how the group gains control of other threat actors’ infrastructure for their espionage campaigns.