Russian nation-state actor Secret Blizzard has intensified its cyber-espionage efforts against Ukrainian military assets during 2024. Linked to Russia’s Federal Security Service (FSB), the group has effectively used infrastructure and tools from various cyber actors. Key techniques include deploying sophisticated custom malware, conducting strategic watering hole attacks, and spear phishing.
Secret Blizzard targets Ukraine’s military using custom malware
Secret Blizzard’s strategy centers on exploiting infrastructure tied to other actors, such as Storm-1919 and Storm-1837. This method enhances access to specific targets, particularly military personnel and devices. By managing to diversify their attack vectors, they can penetrate critical systems more effectively.
The organization employs several distinct malware tools, including the Tavdig backdoor and KazuarV2 payloads. These tools are designed to maintain persistent access and gather intelligence. The Tavdig backdoor has been notably deployed in high-stakes environments associated with the Ukrainian military’s front-line operations.
Astutely, Secret Blizzard utilized the Amadey bot in March and April 2024 to distribute their Tavdig backdoors. The Amadey bot, typically used for cryptomining, allowed the group to gain a foothold in target devices. This iteration, version 4.18, possessed reconnaissance capabilities that included gathering device information and collecting credentials through various plugins.
Secret Blizzard further deployed a custom reconnaissance tool aimed at devices stemming from STARLINK IP addresses. This tool collected crucial data, including system configurations and directories. Data transmission occurred through RC4 encryption protocols to a command-and-control (C2) server.
Lazarus Group targets macOS with RustyAttr trojan malware
The KazuarV2 payload employed by Secret Blizzard was often injected into trusted processes to ensure stealth. Deploying DLL sideloading techniques, it successfully circumvented detection measures put in place by the victims. Similarly, the Storm-1837 backdoor, introduced in December 2023, permitted the group to establish ongoing access to Ukrainian drone operators’ devices.
The deployment included utilizing the Telegram API for credentialed file-sharing platform connections, enabling the installation of further malicious payloads remotely.
In light of these sophisticated attacks, organizations are urged to bolster their defenses. Recommendations include strengthening endpoint security through Microsoft Defender’s tamper protection and real-time features. This should be complemented by the implementation of network protections, including monitoring PowerShell activities and restricting unauthorized scripts.
To monitor for indicators of compromise (IOCs), tracking specific domains such as citactica.com and icw2016.coachfederation.cz is essential. Regular querying for suspicious PowerShell activity should also be part of a proactive defense mechanism.
Featured image credit: Philipp Katzenberger/Unsplash
