12 December 2024

Russian Turla APT exploits other threat actors’ tools to attack Ukraine


Russian Turla APT exploits other threat actors’ tools to attack Ukraine

The Russian nation-state actor known as Secret Blizzard (aka Turla) has been observed leveraging malware associated with other threat groups to deploy its advanced tools, targeting devices linked to Ukraine's military, according to a recent report by Microsoft's threat intelligence team.

The US authorities attribute Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB). The group is known for targeting government entities and defense sectors worldwide, with the focus on long-term intelligence gathering.

Microsoft says that Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine between March and April 2024.

This operation marks the second instance since 2022 of Secret Blizzard infiltrating cybercrime campaigns to deploy its custom malware in Ukraine. According to Microsoft, these campaigns consistently establish a foothold using the Tavdig backdoor, enabling the deployment of KazuarV2.

During the observed timeframe, Secret Blizzard exploited Amadey bots, a malware linked to cybercriminal activity tracked as Storm-1919, to gain access to target devices. Storm-1919’s primary purpose involves deploying cryptocurrency miners such as XMRIG, but Secret Blizzard co-opted the infrastructure to install a PowerShell dropper containing Tavdig.

The dropper included a Base64-encoded Amadey payload modified to communicate with Secret Blizzard’s command-and-control (C2) infrastructure. Reconnaissance tools were selectively deployed to devices of further interest, such as those accessing networks identified with Ukrainian front-line military units, including Starlink-based IP addresses.

Once devices were identified as high-value targets, Secret Blizzard deployed the Tavdig backdoor, which used DLL sideloading techniques. The KazuarV2 payload was injected into browser processes like explorer.exe or opera.exe to enable communication with compromised servers, ensuring secure transmission of stolen data and commands.

Microsoft also found a potential link between Secret Blizzard and Storm-1837, another Russia-aligned actor targeting Ukrainian drone operators. In January 2024, Secret Blizzard likely used a Storm-1837 backdoor to deploy Tavdig and KazuarV2.

Storm-1837 employs a range of tools, including PowerShell backdoors (Cookbox) and Android malware masquerading as legitimate applications to collect sensitive data.

Storm-1837 has been active since late 2023, with its campaigns focusing on espionage against Ukrainian military devices, including phishing campaigns hosted on platforms like GitHub and Cloudflare.

Earlier this month, researchers observed Secret Blizzard hijacking command-and-control (C2) infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025