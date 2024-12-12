A Russian government-backed hacker group known as Secret Blizzard has targeted Ukrainian military personnel by employing tools and infrastructure developed by cybercriminals. The findings highlight the increasing complexity of cyberwarfare tactics, where state actors leverage resources from criminal organisations.

Source: Microsoft report shared with TechCrunch prior to publication

Details: The report describes how Secret Blizzard, linked to Russia's Federal Security Service (FSB) and also known as Turla by other cybersecurity firms, used a botnet named Amadey to attack devices connected to Ukrainian military personnel and border guards between March and April this year.

Amadey, commonly employed by cybercriminals for installing cryptominers, is sold on Russian hacker forums. Microsoft researchers believe that Secret Blizzard either paid for access to the botnet as a service or hacked it. Using such tools enables hackers to avoid detection and obscure their origin, explained Sherrod DeGrippo, Microsoft’s Director of Threat Intelligence Strategy.

The group's operations aim to gather intelligence and establish long-term espionage footholds. Malware used in this campaign was designed to collect system information, such as device names and antivirus software, as a precursor to deploying additional malicious software or hacking tools. Among the targets were devices using Starlink, SpaceX’s satellite service that plays a crucial role in Ukrainian military operations.

Microsoft researchers also found that this is not the first instance of such activity. Secret Blizzard has repeatedly used cybercriminal infrastructure for its operations in Ukraine since 2022, employing these tools to facilitate the deployment of its own malware.

Microsoft’s report indicates the Secret Blizzard group has a long history of attacks on foreign ministries, embassies, government agencies and defence-related organisations worldwide. The group’s methods often involve using tools and infrastructure from other hacker groups. For example, since 2017, Secret Blizzard has utilised state-backed hacking efforts from Iran, Kazakhstan, and Pakistan to conduct espionage campaigns in regions such as Afghanistan and India.

Last week, Microsoft and Black Lotus Labs reported that Secret Blizzard used tools from a Pakistani hacker group to target military and intelligence systems in Afghanistan and India. This "tool hijacking" tactic has become a hallmark of Secret Blizzard’s activities.

