Russian Hackers Hijack Criminal Malware to Launch Sophisticated Cyber Attack on Ukraine Military

Russian Hackers Hijack Criminal Malware to Launch Sophisticated Cyber Attack on Ukraine Military

Russian Hackers Exploit Multiple Attack Vectors to Target Ukraine

Microsoft’s threat intelligence team has uncovered new activities by Secret Blizzard (also known as Turla), a Russian state-sponsored hacking group, targeting Ukrainian military systems between March and April 2024. The group has been observed utilizing Amadey bot malware to deploy the sophisticated Kazuar backdoor.

Key Developments:
– Secret Blizzard commandeered Amadey malware infrastructure to infiltrate specifically selected Ukrainian military targets
– The group deployed a multi-stage attack sequence involving Tavdig backdoor and an updated version of Kazuar
– This marks their second documented instance since 2022 of piggy-backing on existing cybercrime campaigns

Attack Methodology:
1. Initial access through compromised Amadey bot infrastructure
2. Deployment of PowerShell dropper with encoded payload
3. Implementation of reconnaissance tools
4. Installation of Tavdig backdoor using DLL side-loading techniques
5. Final deployment of KazuarV2

The group has also been observed:
– Hijacking 33 command-and-control servers from a Pakistani hacking group
– Repurposing tools from Flying Yeti (Storm-1837)
– Utilizing various attack methods including adversary-in-the-middle campaigns and strategic web compromises

Primary Targets:
– Foreign affairs ministries
– Embassies
– Government offices
– Defense departments
– Military-related organizations

This sophisticated approach demonstrates Secret Blizzard’s evolving tactics to maintain covert access while complicating attribution efforts. Microsoft continues to investigate how the group gains control of other threat actors’ infrastructure for their espionage campaigns.

Share This Article