Russian government spies targeted Ukraine using tools developed by cybercriminals

A Russian-government backed hacking group targeted Ukraine’s military using tools and infrastructure developed by cybercriminals, according to new research.

On Wednesday, Microsoft published a report detailing a hacking campaign carried out by a group it calls Secret Blizzard, which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously said “is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18,” and which other security companies refer to as Turla. 

Microsoft researchers wrote in the report, shared with TechCrunch ahead of publication, that Secret Blizzard used a botnet known as Amadey, which is allegedly sold on Russian hacking forums and developed by a cybercriminal group, to attempt to break into “devices associated with the Ukrainian military” between March and April of this year. While admitting that it’s still investigating how Secret Blizzard gained access to Amadey, the company thinks the hacking group either used the botnet by paying for it as malware as a service, or hacked into it. 

“Secret Blizzard has been using footholds from third parties — either by surreptitiously stealing or purchasing access — as a specific and deliberate method to establish footholds of espionage value,” according to the report, referring to the Amadey botnet as one of those third parties. 

One of the hackers’ goals was to evade detection. Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, told TechCrunch that “using commodity tools allows the threat actor to potentially hide their origin and make attribution more difficult.” 

The Amadey botnet is normally used by cybercriminals to install a cryptominer, according to the report. Microsoft is confident that the hackers behind Amadey and those behind Secret Blizzard are different, DeGrippo said. 

In this campaign, Secret Blizzard targeted computers related to the Ukrainian Army and Ukrainian Border Guard, DeGrippo told TechCrunch. Microsoft said these recent cyberattacks are “at least the second time since 2022 that Secret Blizzard has used a cybercrime campaign to facilitate a foothold for its own malware in Ukraine.”

Secret Blizzard is known to target “ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide” with a focus on long-term espionage and intelligence collection, according to Microsoft’s report. 

In this case, the Secret Blizzard malware sample that Microsoft analyzed was designed to gather information about a victim’s system — such as device name and what, if any, antivirus software is installed — as a first step to then deploy other malware and tools. 

According to Microsoft’s researchers, Secret Blizzard deployed this malware on devices to determine whether the targets were “of further interest.” For example, Secret Blizzard targeted devices using Starlink, SpaceX’s satellite service, which has been used by the Ukrainian military in their operations fighting invading Russian forces.

DeGrippo said that the company is confident that this hacking campaign was conducted by Secret Blizzard in part because the hackers used custom backdoors called Tavdig and KazuarV2, “never seen used by other groups.”

Last week, Microsoft and security firm Black Lotus Lab published reports that showed how Secret Blizzard has co-opted the tools and infrastructure of another nation-state hacking group for its espionage activities since 2022. In that case, according to the two companies’ research, Secret Blizzard piggybacked on a Pakistan-based hacking group to military and intelligence targets in Afghanistan and India. At the time, Microsoft noted that Secret Blizzard has used this technique of taking advantage of other hackers’ tools and infrastructure since 2017, in cases involving Iranian government hackers and a Kazakhstan hacking group, among others. 

The Russian embassy in Washington, D.C., and the FSB did not respond to requests for comment.