Full Report
A Russian nation-state threat actor has been observed leveraging tools from other cybercriminal groups to compromise targets in Ukraine, a recent report by Microsoft Threat Intelligence disclosed. This clandestine approach, which is the second time in as many weeks that Microsoft has highlighted the group’s effort, shows how Turla uses a wide range of attack […] The post Turla living off other cybercriminals’ tools in order to attack Ukrainian targets appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Turla (Secret Blizzard / Pensive Ursa / Waterbug)
## Attribution & Identity
Attributed to Center 16 of Russia’s Federal Security Service (FSB).
Known Aliases: Secret Blizzard, Pensive Ursa, Waterbug.
## Activity Summary
Turla orchestrated a campaign between March and April 2024 specifically targeting devices associated with the Ukrainian military. This campaign involved co-opting tools typically used by cybercriminal groups to gain long-term network access. The group has also been recently observed using infrastructure associated with a Pakistani-based APT group for espionage operations targeting Afghanistan and India.
## Tactics, Techniques & Procedures
- Leveraging tools and infrastructure from other cybercriminal groups (e.g., Storm-1919 and Storm-1837).
- Deploying their own backdoors (Tavdig and KazuarV2) atop compromised criminal infrastructure.
- Implementing hybrid espionage techniques including strategic web compromises, adversary-in-the-middle campaigns, and spear-phishing.
- Using reconnaissance tools specifically designed for Ukrainian military devices.
- Utilizing encrypted scripts.
## Targeting
- Sectors: Ukrainian military, foreign ministries, embassies, government offices, and defense companies worldwide.
- Geography: Ukraine (primary focus in this report), Afghanistan, India.
- Victims: Devices associated with the Ukrainian military.
## Tools & Infrastructure
- Malware families used: Amadey bot malware (co-opted from cybercriminal activity tracked as Storm-1919), Tavdig, KazuarV2.
- Infrastructure (C2, domains, IPs - defang URLs): Evidence suggests Turla may not have direct control over the Amadey bot C2 mechanisms, indicating they may have purchased access or hacked into the infrastructure used by Storm-1919 and Storm-1837.
## Implications
Turla is demonstrating a tactical shift toward hybrid espionage by increasingly relying on third-party access exploitation and leveraging existing cybercriminal toolsets. This makes them harder to track traditionally and allows them to maintain covert entry into sensitive networks. The activity suggests state-sponsored targeting directly supporting geopolitical interests related to the conflict in Ukraine.
## Mitigations
- Organizations should be vigilant for signs of third-party access exploitation, where common cybercriminal malware is used as a precursor to state-sponsored implants.
- Monitor for the deployment of backdoors like Tavdig and KazuarV2.
- Enhance security measures against spear-phishing, adversary-in-the-middle attacks, and strategic web compromises.
- Security teams should inspect networks for reconnaissance tools custom-designed for specific military devices, as observed in the Ukrainian targeting.