In a recent revelation, the Russian cyber-espionage group known as Secret Blizzard has been observed leveraging the tools and infrastructure of other threat actors to conduct cyberattacks against Ukraine. This tactic, which involves hijacking existing malware and command-and-control (C2) infrastructure, has allowed Secret Blizzard to deploy its custom backdoors, Tavdig and KazuarV2, on Ukrainian military devices. This article delves into the details of these operations, the implications for cybersecurity, and provides actionable advice to mitigate such threats.

Secret Blizzard, also known by various aliases such as Turla, Waterbug, and Venomous Bear, has a long history of cyber-espionage activities targeting government and military entities. The group’s recent campaigns have highlighted a strategic shift towards using the tools and infrastructure of other threat actors to achieve their objectives.

The Campaigns

Between March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware, associated with the cybercriminal group Storm-1919, to download its backdoors onto Ukrainian military devices. This marks at least the second instance since 2022 where Secret Blizzard has used a cybercrime campaign to facilitate its own malware deployment in Ukraine

In January 2024, Secret Blizzard was also observed using the backdoor of Storm-1837, another Russia-based threat actor, to compromise a device belonging to a Ukrainian military drone pilot. This backdoor was used to download the Tavdig and KazuarV2 backdoors, further demonstrating Secret Blizzard’s ability to commandeer the tools of other groups for its espionage activities.

Attack Vectors and Techniques

• Secret Blizzard employs a variety of attack vectors, including spear phishing, strategic web compromises (watering holes), and adversary-in-the-middle (AiTM) campaigns

• These methods are often facilitated by legally mandated intercept systems in Russia, such as the System for Operative Investigative Activities (SORM)

• Once initial access is gained, Secret Blizzard uses server-side and edge device compromises to facilitate lateral movement within the target network

• The group’s primary goal is to gain long-term access to systems for intelligence collection, often targeting advanced research and politically significant information

Malware and Tools

• The Amadey bot, used by Secret Blizzard, gathers extensive information about the victim system, including administrator status, device name, and installed antivirus software

• This information is sent back to the C2 server, which then attempts to download additional plugins for credential and clipboard data collection

• Secret Blizzard’s custom reconnaissance tool, deployed selectively to devices of interest, collects detailed system information and transmits it to the C2 server

• This tool uses a custom RC4 algorithm for encryption, ensuring that the collected data remains secure during transmission

• The Tavdig backdoor, loaded into a legitimate Symantec binary susceptible to DLL-sideloading, conducts further reconnaissance on the device, including user information, network statistics, and installed patches

• The KazuarV2 backdoor, often injected into browser processes, facilitates command and control with compromised web servers hosting Secret Blizzard’s relay and encryption module

10 Tips to Avoid Such Threats in the Future

1. Implement Stricter Access Controls: Ensure that only authorized personnel have access to sensitive systems and data.
2. Regular Security Audits: Conduct frequent security audits to identify and mitigate vulnerabilities in your network.
3. Use Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security to user accounts.
4. Monitor Network Traffic: Continuously monitor network traffic for unusual activity that may indicate a breach.
5. Educate Employees: Provide regular training to employees on recognizing and responding to phishing attempts and other cyber threats.
6. Deploy Advanced Threat Detection: Use advanced threat detection tools to identify and respond to potential threats in real-time.
7. Segment Networks: Segment your network to limit the spread of malware and reduce the impact of a breach.
8. Regularly Update Software: Ensure that all software and systems are regularly updated with the latest security patches.
9. Backup Data: Regularly backup critical data to ensure it can be restored in the event of a ransomware attack or other data loss incident.
10. Develop an Incident Response Plan: Create and regularly update an incident response plan to ensure a swift and effective response to any security incidents.

Conclusion

The activities of Secret Blizzard underscore the evolving nature of cyber threats and the importance of robust cybersecurity measures. By leveraging the tools and infrastructure of other threat actors, Secret Blizzard has demonstrated a sophisticated approach to cyber-espionage that poses significant challenges for defenders. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect against such threats.

Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, and LinkedIn for the latest threats, insights, and updates!