It turns out that Russian cyber spies hijacked 'comrade hackers' to attack Ukraine



It has been discovered that Turla, a Russian government cyber espionage group, has been using the activities of another Russian-based hacker to launch attacks on Ukraine.

Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog

https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/

Russian cyber spies hide behind other hackers to target Ukraine
https://www.bleepingcomputer.com/news/security/russian-cyber-spies-hide-behind-other-hackers-to-target-ukraine/

Turla living off other cybercriminals' tools in order to attack Ukrainian targets | CyberScoop
https://cyberscoop.com/turla-leverage-cybercriminal-tools-target-ukraine-microsoft/

Turla is a cyber espionage group also known as 'Secret Blizzard.' According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), 'Secret Blizzard is the Center 16 of the SIGINT and Computer Network Operations (CNO) agency of the Russian Federal Security Service (FSB).'

One of the major features of Turla is that it hijacks the attack routes of other hackers. Microsoft's threat intelligence team and the American telecommunications company Lumen reported on December 4, 2024 that Turla was using infrastructure built by the Pakistani threat actor 'Storm-0156' to launch malware attacks against foreign countries.

Russian cyber espionage group 'Secret Blizzard' hijacks and attacks other hackers' servers and infrastructure - GIGAZINE



Additionally, on December 11, Microsoft announced that it had discovered that Turla was attempting to hijack the infrastructure of Russian hackers Storm-1919 and Storm-1837 to benefit Russian military operations in Ukraine.

The first attack reported this time took place in March or April 2024 and involved the use of 'Amadey,' a malware used by Storm-1919.

While Amadey was originally targeted at cryptocurrency miners, Turla used it to plant two backdoors, Tavdig and KazuarV2, in Ukraine's military network to attack Ukrainian hardware, including Starlink-connected devices.

It is unclear whether Turla hijacked Amadey's botnet or purchased access to it from Storm-1919.

'We assess that Secret Blizzard either used Amadey as a Malware as a Service (MaaS) or covertly accessed Amadey's command and control (C2) panel to download PowerShell droppers onto targeted devices,' Microsoft wrote in the report.



The second attack was carried out in January 2024 by Turla after they hijacked the infrastructure of another threat actor, Storm-1837.

Storm-1837 originally targeted devices used by Ukrainian drone pilots using a PowerShell backdoor called “Cookbox,” which Turla leveraged to deploy Tavdig and KazuarV2.

As with Storm-1919, it is unclear whether Turla has hijacked or coordinated with Storm-1837, but in any case, this report provides further details on Turla's method of using the activities of other hackers to launch attacks abroad.

'Whatever method they used, our threat intelligence team assesses that Secret Blizzard's use of footholds provided or stolen from other threat actors indicates that they are prioritizing access to Ukrainian military devices. We believe it is likely that Secret Blizzard will use this tactic in other campaigns beyond those discussed here,' Microsoft said.

in Security,   , Posted by log1l_ks