Russian government spies have targeted Ukraine using tools developed by cybercriminals

A hacking group backed by the Russian government targeted the Ukrainian military using tools and infrastructure developed by cybercriminals, according to a new investigation.

on wednesday Microsoft published a report The US Cybersecurity and Infrastructure Security Agency (CISA) has released details of a hacking campaign carried out by a group it calls Secret Blizzard. said before “almost certainly subordinate to the 18th Center of the Russian Federal Security Service (FSB)” and other security companies call it. Tower.

In a report shared with TechCrunch ahead of publication, Microsoft researchers wrote that Secret Blizzard uses a botnet known as Amadey. is claimed to be sold Between March and April of this year, it was developed by a cybercriminal group to try to access “devices associated with the Ukrainian military” and on Russian hacking forums. The company, which admits it’s still investigating how Secret Blizzard gained access to Amadey, believes the hacking group is either using a botnet with pay-as-a-service malware, or it’s been hacked.

According to the report, citing the Amadey botnet as one of those third parties, “Secret Blizzard uses third-party bases — either by stealthily stealing or gaining access — as a specific and deliberate method to create espionage value bases.”

One of the hackers’ goals was to avoid detection. Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, told TechCrunch that “the use of commodity tools allows a threat actor to potentially obscure their origin and make attribution difficult.”

According to the report, the Amadey botnet is commonly used by cybercriminals to install cryptominers. Microsoft is confident that the hackers behind Amadey and Secret Blizzard are different, DeGrippo said.

DeGrippo told TechCrunch that in this campaign, Secret Blizzard targeted computers associated with the Ukrainian Army and the Ukrainian Border Guard. These latest cyberattacks are “at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate the deployment of its malware in Ukraine,” Microsoft said.

According to Microsoft’s report, Secret Blizzard is known to target “foreign ministries, embassies, government departments, defense departments, and defense-related companies around the world,” focusing on long-term espionage and intelligence gathering.

In this case, the Stealth Blizzard malware sample that Microsoft analyzed was designed to gather information about a victim’s system — such as the device name and, if any, which antivirus software is installed — as a first step to deploying other malware and tools.

According to Microsoft researchers, Secret Blizzard placed this malware on devices to identify targets “of greater interest.” For example, Secret Blizzard targeted devices using StarlinkSpaceX’s satellite service, It was used by the Ukrainian army in combat operations against the invading Russian troops.

DeGrippo said the company believes the hacking campaign was carried out in part by Secret Blizzard because the hackers used special backdoors called Tavdig and KazuarV2, which “have never been used by other groups.”

last week, Microsoft and a security company Black Lotus Lab Secret has released reports showing how Blizzard combined the tools and infrastructure of another nation-state hacking group for espionage activities since 2022. In that case, Secret Blizzard relied on a Pakistan-based hacker attack, according to the two companies’ investigation. group to military and intelligence targets in Afghanistan and India. At the time, Microsoft noted that Secret Blizzard had been using this method since 2017 to take advantage of other hackers’ tools and infrastructure in cases involving Iranian government hackers and a Kazakh hacking group, among others.

The Russian embassy in Washington and the FSB did not respond to requests for comment.