Microsoft says Russia is hacking Ukrainian military technology by stealing third-party access points
- Microsoft warns that a Russian state-sponsored threat actor is cracking Ukrainian military technology
- The Anadey bot malware is placed on devices to collect information
- Secret Blizzard could use hacked devices to escalate compromises to the ministry level
Microsoft Threat Intelligence has revealed that notorious Russian threat actor Secret Blizzard is working with other cybercriminals to conduct espionage on targeted organizations of interest in South Asia and install multiple backdoors on devices in Ukraine.
The team has highlighted that Secret Blizzard is using cyberattacks from Russian threat actors as a gateway to install the Amadey bot malware and backdoors on Ukrainian devices for espionage purposes.
Secret Blizzard is expected to purchase or steal access points to Ukrainian devices from other Russian-sponsored state-sponsored threat actors to diversify its ability to monitor devices and launch attacks.
Espionage and monitoring
The initial entry point for Secret Blizzard is usually conducted via spearphishing attacks before moving laterally through interesting networks via server-side and edge device compromise.
A device is accessed once. Secret Blizzard has been observed deploying a Powershell dropper via the Amadey malware-as-a-service (MaaS), which allows Secret Blizzard to see device configurations and collect information via a command and control (C2) server.
The Amadey would then collect and pass on information about the type of antivirus software installed on the device, before installing two plugins on the target device that, according to Microsoft Threat Intelligence theory, are used to collect clipboard data and browser data.
Secret Blizzard would also find and target devices that use a Starlink IP address as a favorite target, before deploying a custom algorithm that allows the threat actor to steal data from the targeted device, including its directory structure, system information, active sessions and IPv4 route table, SMB shares, enabled security groups and time settings.
Microsoft Threat Intelligence also observed a cmd prompt being used to gather information from Windows Defender about whether previous versions of the Amadey malware had been spotted on the system to gauge whether the target device was of interest.
Secret Blizzard is actively adapting its attack techniques to specifically target Ukrainian military assets, with Microsoft estimating that strongholds are likely to be exploited to “escalate to ministry-level strategic access.”
Microsoft recommends that those who want to mitigate this specific attack vector introduce attack vector mitigation rules on Microsoft Defender real-time protection. A complete list of mitigation strategies can be found on the Microsoft Threat Intelligence blog.