Microsoft says Russia is hacking Ukrainian military tech by stealing points of entry from third-parties

1 week ago 3
Cyber warfare
(Image credit: Shutterstock)

  • Microsoft warns Russian state-sponsored threat actor is cracking into Ukrainian military tech
  • The Anadey bot malware is dropped onto devices to gather information
  • Secret Blizzard could used hacked devices to escalate compromise to the Ministry level

Microsoft Threat Intelligence has revealed notorious Russian threat actor Secret Blizzard has been working with other cybercriminals to conduct espionage on targeted organizations of interest in South Asia as well as installing multiple backdoors on devices in Ukraine.

The team has highlighted Secret Blizzard is using cyber attacks conducted by Russian threat actors as a vector of entry to install the Amadey bot malware and backdoors onto Ukrainian devices for espionage purposes.

Secret Blizzard is assessed to either purchase or steal points of entry onto Ukrainian devices from other Russia-aligned state sponsored threat actors in order to diversify its ability to monitor devices and conduct attacks.

Espionage and monitoring

The initial point of access for Secret Blizzard is usually conducted via spearphishing attacks before moving laterally through networks of interest via server-side and edge device compromise.

One access to a device is gained, Secret Blizzard was observed deploying a Powershell dropper via the Amadey malware-as-a-service (MaaS), which allows Secret Blizzard to see device configurations and collect information through a command and control (C2) server.

The Amadey would then gather and relay information on the type of antivirus software installed on the device, before installing two plugins on the target device that Microsoft Threat Intelligence theorizes are used to gather clipboard data and browser credentials.

Secret Blizzard would also seek out and target devices that use a Starlink IP address as a favoured target, before deploying a custom algorithm that allows the threat actor to steal data from the targeted device including the directory tree, system information, active sessions, IPv4 route table, SMB shares, enabled security groups, and time settings.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Microsoft Threat Intelligence also observed a cmd prompt being used to gather information from Windows Defender as to whether previous versions of the Amadey malware had been spotted on the system in order to gauge if the target device was of interest.

Secret Blizzard is actively adapting its attack techniques to specifically target Ukrainian military devices, with Microsoft assessing that footholds are likely being exploited to “escalate toward strategic access at the Ministry level.”

Microsoft recommends that those looking to mitigate against this particular attack vector should introduce attack vector reduction rules on Microsoft Defender XDR, enable network protection in Microsoft Defender for Endpoint, and turn on additional Microsoft defender settings such as PUA protection block mode, cloud-delivered protection, and real-time protection. A full list of mitigation strategies can be found on the Microsoft Threat Intelligence blog.

You might also like

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read Entire Article