Full Report
Microsoft detailed how Russian espionage group Secret Blizzard is leveraging infrastructure of other threat actors to target the Ukrainian military with custom malware
Analysis Summary
# Threat Actor: Secret Blizzard
## Attribution & Identity
* **Identification:** Russian state threat actor.
* **Attribution:** Believed to work on behalf of Russia’s Federal Security Service (FSB).
* **Associated Groups/Aliases:** Has leveraged resources and tools used by at least six other threat actors over the past seven years, including Storm-1919 (associated with Amadey malware) and Storm-1837.
## Activity Summary
Secret Blizzard has supported the Kremlin’s military efforts in Ukraine by consistently leading to the download of their custom malware on devices associated with the Ukrainian military. In prior research, they targeted ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. Recent activities focus on compromising Ukrainian military devices to conduct intelligence gathering for Russia’s invasion.
## Tactics, Techniques & Procedures
* Leveraging strategic web compromises and Adversary-in-the-Middle (AiTM) campaigns.
* Using resources and infrastructure from other threat actors (e.g., Amadey bots, Storm-1837 tools).
* **Amadey Bot Chain (Mar-Apr 2024):** Deployed Amadey bots to deploy a custom PowerShell dropper, which installed the Tavdig backdoor to establish a foothold for installing the KazuarV2 backdoor.
* **Storm-1837 Chain (Jan 2024):** Utilized Storm-1837 infrastructure to deploy Tavdig and KazuarV2 backdoors on Ukrainian military devices.
* Used a reconnaissance tool selectively deployed to devices egressing from STARLINK IP addresses (a signature of Ukrainian front-line military devices).
* Used Tavdig backdoor loaded into `kavp.exe` for initial reconnaissance.
* Used Tavdig to import a registry file for installing and maintaining persistence for the KazuarV2 backdoor.
* Used an RC4 encrypted executable to decrypt various survey cmdlets and scripts.
* Used the Telegram API (via a compromised device configuration, likely facilitated by Storm-1837 infrastructure) to launch a cmdlet with credentials for a Mega file-sharing account, likely to download further commands/files.
* **MITRE ATT&CK IDs:** Not specifically mentioned in the text provided.
## Targeting
* **Sectors:** Government (ministries of foreign affairs, government offices), Defense (defense departments, defense-related companies).
* **Geography:** Worldwide (historically); Specifically prioritizing devices associated with the **Ukrainian military** (recent).
* **Victims:** Devices associated with the Ukrainian military, particularly devices egressing from STARLINK IP addresses (implying front-line military relevance) and devices used by Ukrainian drone operators.
## Tools & Infrastructure
* **Malware Families Used:**
* Tavdig backdoor (custom malware)
* KazuarV2 backdoor (custom malware)
* PowerShell dropper (observed in both chains)
* Custom reconnaissance tool
* Amadey bots (MaaS or compromised C2 access)
* **Infrastructure:**
* Leveraged infrastructure from Storm-1919 and Storm-1837.
* Used Mega file-sharing platform for file drops, accessed via Telegram API credentials.
* C2/IPs: STARLINK IP addresses were used as a signature for identifying high-value targets.
## Implications
Secret Blizzard demonstrates a high level of operational sophistication by actively leveraging the tools, infrastructure, and footholds established by multiple other threat actors (including criminal groups like Storm-1919). This behavior allows the actor to diversify attack vectors and focus almost exclusively on compromising Ukrainian military hardware for intelligence pertinent to the ongoing conflict.
## Mitigations
* Heightened scrutiny of network traffic egressing from known STARLINK IP ranges used by military personnel.
* Implement robust endpoint detection and response (EDR) capable of detecting custom PowerShell backdoors and reconnaissance activity.
* Review security configurations related to third-party file-sharing services (like Mega) if they are referenced or used in connection with internal communication channels (like Telegram API).
* Ensure defenses are in place against common techniques used by associated groups (e.g., Amadey bot activity).