Russian Spies Targeted Ukraine with Cybercriminal Tools

Ukraine’s Military Targeted by Russian-Linked Hackers Utilizing Cybercriminal Infrastructure

Recent investigations reveal that a hacking group, believed to be supported by the Russian government, has been actively targeting Ukraine’s military. This campaign leverages tools and infrastructure originally developed by independent cybercriminal entities.

Details of the Hacking Campaign

Microsoft released a report on Wednesday outlining the activities of a group identified as Secret Blizzard. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously linked Secret Blizzard to Center 16 of the Russian Federal Security Service (FSB), also known as Turla.

Between March and April of this year, Secret Blizzard employed a botnet called Amadey – reportedly available for purchase on Russian hacking forums – in attempts to compromise “devices associated with the Ukrainian military.”

Microsoft’s research suggests the group either acquired access to the Amadey botnet through a paid “malware as a service” arrangement or by directly hacking into the system. The investigation into the access method is ongoing.

Strategic Use of Third-Party Infrastructure

The report highlights a deliberate strategy by Secret Blizzard to utilize existing infrastructure from external sources. This approach allows the group to establish espionage footholds by either covertly obtaining or purchasing access.

Evading Detection is a key objective. According to Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, employing readily available tools can obscure the threat actor’s origins and complicate attribution efforts.

Typically, the Amadey botnet is utilized by cybercriminals for the installation of cryptocurrency mining software. Microsoft affirms that the individuals operating Amadey are distinct from those associated with Secret Blizzard.

Targets and Previous Activity

This particular campaign focused on computers linked to the Ukrainian Army and the Ukrainian Border Guard. Microsoft indicates this is “at least the second time since 2022” that Secret Blizzard has exploited a cybercrime campaign to gain access for its own malware within Ukraine.

Secret Blizzard is known for targeting a broad range of entities globally, including “ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies.” Their primary focus is long-term espionage and intelligence gathering.

Malware Deployment and Starlink Targeting

The analyzed Secret Blizzard malware sample was designed to collect basic system information – such as device name and installed antivirus software – as a preliminary step before deploying further malicious software and tools.

This initial deployment served to assess whether targets were “of further interest.” Notably, devices utilizing Starlink, SpaceX’s satellite internet service employed by the Ukrainian military, were specifically targeted.

DeGrippo stated the attribution to Secret Blizzard is confident due to the use of custom backdoors, Tavdig and KazuarV2, which have not been observed in use by any other hacking groups.

Co-opting Other Nation-State Actors

Recent reports from Microsoft and Black Lotus Lab detail how Secret Blizzard has been leveraging the tools and infrastructure of other nation-state hacking groups since 2022. Previously, they exploited a Pakistan-based group to target military and intelligence assets in Afghanistan and India.

Microsoft notes that this tactic of utilizing other hackers’ resources dates back to 2017, with instances involving Iranian government hackers and a hacking group originating from Kazakhstan.