Russian government spies targeted Ukraine using tools developed by cybercriminals

Date:

Share post:


A Russian-government backed hacking group targeted Ukraine’s military using tools and infrastructure developed by cybercriminals, according to new research.

On Wednesday, Microsoft published a report detailing a hacking campaign carried out by a group it calls Secret Blizzard, which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously said “is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18,” and which other security companies refer to as Turla. 

Microsoft researchers wrote in the report, shared with TechCrunch ahead of publication, that Secret Blizzard used a botnet known as Amadey, which is allegedly sold on Russian hacking forums and developed by a cybercriminal group, to attempt to break into “devices associated with the Ukrainian military” between March and April of this year. While admitting that it’s still investigating how Secret Blizzard gained access to Amadey, the company thinks the hacking group either used the botnet by paying for it as malware as a service, or hacked into it. 

“Secret Blizzard has been using footholds from third parties — either by surreptitiously stealing or purchasing access — as a specific and deliberate method to establish footholds of espionage value,” according to the report, referring to the Amadey botnet as one of those third parties. 

One of the hackers’ goals was to evade detection. Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, told TechCrunch that “using commodity tools allows the threat actor to potentially hide their origin and make attribution more difficult.” 

Contact Us

Do you have more information about Russian hackers targeting Ukraine? Or other cyberespionage operations? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

The Amadey botnet is normally used by cybercriminals to install a cryptominer, according to the report. Microsoft is confident that the hackers behind Amadey and those behind Secret Blizzard are different, DeGrippo said. 

In this campaign, Secret Blizzard targeted computers related to the Ukrainian Army and Ukrainian Border Guard, DeGrippo told TechCrunch. Microsoft said these recent cyberattacks are “at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine.”

Secret Blizzard is known to target “ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide” with a focus on long-term espionage and intelligence collection, according to Microsoft’s report. 

In this case, the Secret Blizzard malware sample that Microsoft analyzed was designed to gather information about a victim’s system — such as device name and what, if any, antivirus software is installed — as a first step to then deploy other malware and tools. 

According to Microsoft’s researchers, Secret Blizzard deployed this malware on devices to determine whether the targets were “of further interest.” For example, Secret Blizzard targeted devices using Starlink, SpaceX’s satellite service, which has been used by the Ukrainian military in their operations fighting invading Russian forces.

DeGrippo said that the company is confident that this hacking campaign was conducted by Secret Blizzard in part because the hackers used custom backdoors called Tavdig and KazuarV2, “never seen used by other groups.”

Last week, Microsoft and security firm Black Lotus Lab published reports that showed how Secret Blizzard has co-opted the tools and infrastructure of another nation-state hacking group for its espionage activities since 2022. In that case, according to the two companies’ research, Secret Blizzard piggybacked on a Pakistan-based hacking group to military and intelligence targets in Afghanistan and India. At the time, Microsoft noted that Secret Blizzard has used this technique of taking advantage of other hackers’ tools and infrastructure since 2017, in cases involving Iranian government hackers and a Kazakhstan hacking group, among others. 

The Russian embassy in Washington, D.C., and the FSB did not respond to requests for comment.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

ChatGPT and Sora are down

OpenAI says ChatGPT, Sora, and its developer-facing API are experiencing a major outage, according to the company’s...

SolarSquare raises $40 million in India’s largest solar venture round

SolarSquare has raised $40 million in what is the largest venture round in India’s solar sector. The...

Trump’s proposed university endowment tax could hurt funding, VC warns

Some VCs are looking at the Trump administration’s proposed massive tax increase on university endowments with alarm,...

It sure looks like OpenAI trained Sora on game content — and legal experts say that could be a problem

OpenAI has never revealed exactly which data it used to train Sora, its video-generating AI. But from...

Hyundai’s electric air taxi startup Supernal is moving its HQ from DC to California

Hyundai’s electric vertical takeoff and landing startup Supernal is shifting its global headquarters from Washington, D.C. to...

Pentagon doesn’t know where mystery drones over New Jersey come from

In a press briefing on Wednesday, the Pentagon said it has no evidence that the mysterious drones...

Microsoft’s M12 invests another $22.5M into NeuBird, months after its $22M seed round

Late last year, Gou Rao and Vinod Jayaraman founded NeuBird to automate IT site reliability operations tasks...

Green ammonia startup Amogy is trying to raise $90M to reduce truck pollution

Green ammonia startup Amogy has raised $11.2 million of a targeted $90 million round, an SEC filing...