Russian government spies were targeting Ukraine using tools developed by cybercriminals

A hacking group backed by the Russian government targeted the Ukrainian military using tools and infrastructure developed by cybercriminals, according to a new study.

On Wednesday, Microsoft published a report detailing a hacking campaign carried out by a group it calls Secret Blizzard, which the US Cybersecurity and Infrastructure Security Agency (CISA) previously said was “probably under the control of the Russian Federal Security Service (FSB) Center 18. ,” and other security companies. which they refer to as Turla.

Microsoft researchers wrote in a report, shared with TechCrunch ahead of publication, that Secret Blizzard used a botnet known as Amadey, allegedly sold on Russian hacking forums and developed by a group of cyber criminals, to try to break into “devices associated with Ukraine.” war” between March and April of this year. While admitting it is still investigating how Secret Blizzard gained access to Amadey, the company thinks the hacking group used the botnet by paying it as a malware-as-a-service, or hacking into it.

“Secret Blizzard has been using actions from third parties – either by stealing secrets or buying access – as a specific and deliberate way to obtain a base of espionage value,” according to the report, referring to the Amadey botnet as one of those third parties.

One of the hackers’ goals was to avoid detection. Sherrod DeGrippo, Microsoft’s director of Intelligence Strategy, told TechCrunch that “using commodity tools allows a threat actor to hide their origin and make it more difficult.”

The Amadey botnet is often used by cybercriminals to install cryptominers, according to the report. Microsoft hopes the hackers behind Amadey and those behind Secret Blizzard are different, DeGrippo said.

In this campaign, Secret Blizzard targeted computers associated with the Ukrainian Army and the Ukrainian Border Guard, DeGrippo told TechCrunch. Microsoft said this latest cyberattack is “at least the second time since 2022 that Secret Blizzard has used a cybercriminal campaign to facilitate the discovery of its malware in Ukraine.”

Secret Blizzard is known to target “foreign ministries, embassies, government offices, defense departments, and defense-related companies around the world” with a focus on long-term spy and intelligence gathering, according to a Microsoft report.

In this case, the Secret Blizzard sample of malware analyzed by Microsoft was designed to collect information about the victim’s system – such as the name of the device and what, if any, anti-virus software is installed – as a first step to use other malware and tools.

According to Microsoft researchers, Secret Blizzard sent this malware to devices to determine if targets were “of interest.” For example, Secret Blizzard targeted devices using Starlink, SpaceX’s satellite service, used by the Ukrainian military in its operations against invading Russian forces.

DeGrippo said the company believes the hacking campaign was carried out by Secret Blizzard because the hackers used backdoors called Tavdig and KazuarV2, “which have never been seen used by other groups.”

Last week, Microsoft and the security firm Black Lotus Lab published reports showing how Secret Blizzard integrated the tools and infrastructure of another national hacking group for its espionage activities starting in 2022. If so, according to research by these two companies. , Secret Blizzard piggybacks on a Pakistan-based hacking group to military and intelligence targets in Afghanistan and India. At the time, Microsoft noted that Secret Blizzard had used this method to exploit other hacker tools and infrastructure since 2017, in cases involving Iranian government hackers and a Kazakh hacking group, among others.

The Russian embassy in Washington, DC, and the FSB did not respond to requests for comment.