12 December 2024

Russia’s Secret Blizzard APT targets Ukraine with Kazuar backdoor

As part of this operation, Secret Blizzard targeted some of Ukraine’s military devices that communicate or transmit data over the internet using Starlink's satellite-based internet service, according to the report. . .

  • The group, previously linked to Russia’s Federal Security Service (FSB), is known for stealing politically significant information, particularly advanced research.

Secret Blizzard has a history of targeting ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. During its operations, it collects and exfiltrates sensitive materials, including documents, PDFs and email content. 

Russia’s Secret Blizzard APT targets Ukraine with Kazuar backdoor

Pierluigi Paganini December 12, 2024

Russia-linked APT group Secret Blizzard is using Amadey Malware-as-a-Service to infect systems in Ukraine with the Kazuar backdoor.

The Russia-linked APT group Secret Blizzard (aka TurlaSnakeUroburosWaterbugVenomous Bear and KRYPTON) was spotted using the Amadey malware to deploy the KazuarV2 backdoor on devices in Ukraine.

The experts observed threat actors using the Amadey bot malware between March and April 2024. Microsoft highlights that the bot is linked to cybercrime activities and was used by attackers to infiltrate devices used by the Ukrainian military.

Storm-1919 often deploys XMRIG cryptocurrency miners via Amadey bots, used globally in 2024. According to Microsoft, Secret Blizzard group either leveraged Amadey as a service or accessed its C2 panels to deliver a PowerShell dropper containing encoded Amadey payloads and links to their C2 servers.

This operation marked at least the second instance since 2022 where Secret Blizzard leveraged a cybercrime campaign to gain a foothold in Ukraine for deploying its backdoors. This approach highlights the group’s strategy of blending cybercrime with targeted cyber-espionage activities.

“Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.” reads the analysis published by Microsoft. “Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM).”

Secret Blizzard usually employs spear phishing to gain initial access, followed by server-side and edge device compromises for lateral movement.

Amadey bots encoded system data to communicate with the C2 at http://vitantgroup[.]com/xmlrpc.php, attempting to download two plugins, cred64.dll and clip64.dll, likely for credential and clipboard data theft. Secret Blizzard’s use of a separate C2 URL suggests it lacked full control over the Amadey bot’s primary C2 mechanism.

Secret Blizzard selectively deployed a custom survey tool to the targeted devices, including Ukrainian front-line military systems using STARLINK IPs. The tool collected detailed system data, encrypted it with RC4, and sent it to C2 servers. The malware deployed the Tavdig backdoor and a legitimate Symantec binary to devices of interest for DLL-sideloading, enabling further reconnaissance. Tools like procmap.exe compiled malicious files for additional payloads, including the KazuarV2 backdoor.

Microsoft said it also detected the threat actor repurposing a PowerShell backdoor linked to a distinct Russia-based hacking group called Flying Yeti (aka Storm-1837 and UAC-0149) to deploy a PowerShell dropper that embeds Tavdig.

Microsoft is still investigating into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools.

Needless to say, the findings once again highlight the threat actor’s repeated pursuit of footholds provided by other parties, either by purchasing the access or stealing them, to conduct espionage campaigns in a manner that obscures its own presence.

Microsoft published Indicators of compromise (IoCs) for this campaign.

Last week, researchers from Microsoft Threat Intelligence announced they had collected evidence that the Russia-linked ATP group Secret Blizzard (aka Turla, SnakeUroburosWaterbugVenomous Bear and KRYPTON) has used the tools and infrastructure of at least 6 other threat actors during the past 7 years.

The experts reported that the Secret Blizzard threat actor is compromising the infrastructure of the Pakistan-based threat actor Storm-0156 to conduct cyber espionage campaigns on targets in South Asia.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon


Le Secret Blizzard Russe Cible l'Ukraine avec des Outils Cybercriminels

Research

Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine

Frequent freeloader part I: Secret Blizzard compromising Storm-0156  infrastructure for espionage | Microsoft Security Blog

After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in our last blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard’s custom malware, with the Tavdig backdoor creating the foothold to install their KazuarV2 backdoor.

Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware relating to cybercriminal activity that Microsoft tracks as Storm-1919 to download its backdoors to specifically selected target devices associated with the Ukrainian military. This was at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine. Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.

Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM). More commonly, Secret Blizzard uses spear phishing as its initial attack vector, then server-side and edge device compromises to facilitate further lateral movement within a network of interest.

As previously detailed, Secret Blizzard is known for targeting a wide array of sectors, but most prominently ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. Secret Blizzard focuses on gaining long-term access to systems for intelligence collection, often seeking out advanced research and information of political importance, using extensive resources such as multiple backdoors. The United States Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB). Secret Blizzard overlaps with the threat actor tracked by other security vendors as Turla, Waterbug, Venomous Bear, Snake, Turla Team, and Turla APT Group.

Microsoft tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Secret Blizzard’s activity to raise awareness of this threat actor’s tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. In addition, we highlight that while Secret Blizzard’s use of infrastructure and access by other threat actors is unusual, it is not unique, and therefore organizations that have been compromised by one threat actor may also find themselves compromised by another through the initial intrusion

Secret Blizzard Cyber Threat Expands to Global Espionage Operations
Salt Typhoon breached at least eight US telecoms. Russia's Secret Blizzard  exploits Pakistani APT's infrastructure.
Russia takes unusual route to hack Starlink-connected devices in Ukraine -  Ars Technica
Top stories
4 hours ago

No comments: