Russian state threat actor Secret Blizzard has leveraged resources and tools used by other cyber groups to support the Kremlin’s military efforts in Ukraine, according to Microsoft.
These campaigns have consistently led to the download of Secret Blizzard’s custom malware on devices associated with the Ukrainian military.
The analysis is the second part of research conducted by Microsoft into the Russian cyber espionage gang.
The first, published on December 4, highlighted how Secret Blizzard has used the tools and infrastructure of at least six other threat actors during the past seven years, particularly targeting ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide.
This approach has enabled Secret Blizzard to diversify its attack vectors, including using strategic web compromises and adversary-in-the-middle (AiTM) campaigns.
The threat actor is believed to work on behalf of Russia’s Federal Security Service (FSB).
Read now: Russian Cyber-Attacks Home in on Ukraine’s Military Infrastructure
How Secret Blizzard Assists Russian Military Efforts
The new research highlighted a number of examples of Secret Blizzard using other threat groups’ infrastructure to compromise targets in Ukraine to support Russia’s invasion of the country.
Amadey Bot Use
Between March and April 2024, Microsoft observed Secret Blizzard using Amadey bots to deploy their custom Tavdig backdoor against specifically selected target devices associated with the Ukrainian military.
The Tavdig backdoor is used to create a foothold to install the group’s KazuarV2 backdoor.
Amadey bot activity is associated with a threat actor tracked as Storm-1919, which primarily deploys XMRIG cryptocurrency miners onto victim devices.
Microsoft assessed that Secret Blizzard either used the Amadey malware-as-a-service (MaaS) or accessed the Amadey command-and-control (C2) panels surreptitiously to download a PowerShell dropper on target devices.
The group then downloaded their custom reconnaissance tool, which was selectively deployed to devices of further interest by the threat actor, such as devices egressing from STARLINK IP addresses, a common signature of Ukrainian front-line military devices.
This tool was used to determine if a victim device was of further interest, in which case it would deploy a PowerShell dropper containing the Tavdig backdoor payload.
Storm-1837 PowerShell Backdoor Use
In January 2024, Microsoft observed Secret Blizzard utilizing the tools and infrastructure of Storm-1837, a Russia-based threat actor, to deploy Tavdig and KazuarV2 backdoors on Ukrainian military devices.
Storm-1837 uses a range of PowerShell backdoors to target devices used by Ukrainian drone operators.
Microsoft said military-related device in Ukraine compromised by a Storm-1837 backdoor was likely configured by Secret Blizzard to use the Telegram API to launch a cmdlet with credentials for an account on the file-sharing platform Mega.
The cmdlet appeared to have facilitated remote connections to the account at Mega and likely invoked the download of commands or files for launch on the target device.
A PowerShell dropper was deployed to the device which was very similar to the one observed during the use of Amadey bots and contained two base64 encoded files containing the Tavdig backdoor payload.
As with the Amadey bot attack chain, Secret Blizzard used the Tavdig backdoor loaded into kavp.exe to conduct initial reconnaissance on the device. The group then used Tavdig to import a registry file, which was used to install and provide persistence for the KazuarV2 backdoor.
Secret Blizzard Prioritizes Military Devices in Ukraine
Microsoft said it is currently unclear whether Secret Blizzard commandeered the above tools or purchased them.
Either way, the leveraging of these “footholds” demonstrates threat actor’s prioritization of accessing military devices in Ukraine for intelligence gathering purposes.
Secret Blizzard was observed using an RC4 encrypted executable to decrypt various survey cmdlets and scripts during these operations, which are likely to be utilized in later campaigns.