Secret Blizzard Leverages Rival Infrastructure to Target Ukrainian Military in Espionage Campaign

Russian threat actor Secret Blizzard, (also tracked as Group 88, IRON HUNTER, Krypton, Snake, Turla, Venomous Bear, Waterbug, and WhiteBear), has been identified as leveraging infrastructure linked to other threat groups to conduct espionage campaigns. In March and April 2024, Microsoft reported observing Secret Blizzard exploiting Amadey bot malware, typically associated with Storm-1919, to deploy custom backdoors such as Tavdig and KazuarV2. Additionally, in January 2024, they utilized infrastructure linked to Storm-1837, another Russia-based group known for targeting Ukrainian military drone operators. The primary objective of these campaigns is intelligence collection, specifically targeting organizations involved in foreign affairs, embassies, government offices, and defense sectors worldwide. According to Microsoft, "The United States Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB)."

"Microsoft assesses that Secret Blizzard either used the Amadey malware as a service (MaaS) or accessed the Amadey command-and-control (C2) panels surreptitiously to download a PowerShell dropper on target devices." Among a variety of attack techniques a stand out was following initial access, Secret Blizzard deploys a batch script that performs extensive system reconnaissance by running commands like "ipconfig" to gather network configuration, "netstat" to view active network connections, and "net" commands to enumerate user accounts, groups, and network shares. It also runs "whoami" to identify the current user, "systeminfo" to collect system details, and queries the Windows Registry for autorun entries and security policies, likely to identify potential misconfigurations or persistence mechanisms. Additionally, it scans common directories for files and executes tasks like displaying running processes with "tasklist".

Specific hosts of interest to Secret Blizzard are military devices, particularly those associated with Starlink internet systems. Other checks of a compromised system would involve verifying Microsoft Defender was actively running. After reconnaissance efforts, Secret Blizzard deploys various payloads such as the Amadey bot executable, "av.exe." The threat actor also utilizes DLL sideloading techniques to evade detection, often dropping executables designed to load malicious DLLs under the guise of legitimate applications. The KazuarV2 backdoor was observed to inject into browser processes such as "explorer.exe," or "opera.exe" to maintain persistence and establish C2 communication. This approach allows Secret Blizzard to maintain a low profile while exfiltrating sensitive data and executing follow-on operations.

The uncertainty of the threat actor's utilization of the Amadey, having been hijacked or purchased through a MaaS service by leveraging access gained by Storm-1919 and Storm-1837, broadens their operational reach and diversifies their attack vectors. “Regardless of the means, Microsoft Threat Intelligence assesses that Secret Blizzard’s pursuit of footholds provided by or stolen from other threat actors highlights this threat actor’s prioritization of accessing military devices in Ukraine,” Microsoft warns.