Russian Cyber Elite Masks Military Strikes on Ukraine Behind Rival Hackers’ Networks

Russian Cyber Elite Masks Military Strikes on Ukraine Behind Rival Hackers' Networks

Russian Cyber-Espionage Group Exploits Multiple Networks to Target Ukrainian Military

Microsoft and Lumen have uncovered new operations by the Russian cyber-espionage group Turla (Secret Blizzard), revealing sophisticated attacks targeting Ukrainian military devices connected to Starlink. The group, linked to Russia’s Federal Security Service (FSB), has been observed hijacking infrastructure from multiple threat actors between March and April 2024.

Key Findings:
– Turla utilized the Amadey botnet and infrastructure from Russian hacking group Storm-1837
– The group deployed custom malware families including Tavdig and KazuarV2
– Primary targets were Ukrainian military devices using Starlink internet connections

Attack Methodology:
1. Initial Access:
– Phishing emails with malicious attachments
– Storm-1837 backdoors
– Amadey botnet deployment

2. Malware Deployment:
– PowerShell droppers containing Base64-encoded Amadey payload
– Tavdig backdoor (“rastls.dll”) for reconnaissance
– KazuarV2 for advanced persistent access

Technical Details:
Tavdig serves as an initial backdoor, collecting system information and deploying additional payloads. KazuarV2, a more sophisticated tool, provides long-term intelligence gathering capabilities by injecting into legitimate processes like ‘explorer.exe’ or ‘opera.exe’.

The campaign specifically targeted devices using Starlink IP addresses, indicating a focus on front-line military operations. Microsoft’s investigation suggests Turla either purchased access to the Amadey botnet or compromised its control infrastructure to facilitate these attacks.

This operation demonstrates Turla’s evolving tactics of leveraging multiple threat actors’ infrastructure to mask their activities while conducting military-focused cyber espionage operations in Ukraine.

Share This Article