- Microsoft warns Russian state-sponsored threat actor is cracking into Ukrainian military tech
- The Anadey bot malware is dropped onto devices to gather information
- Secret Blizzard could used hacked devices to escalate compromise to the Ministry level
Microsoft Threat Intelligence has revealed notorious Russian threat actor Secret Blizzard has been working with other cybercriminals to conduct espionage on targeted organizations of interest in South Asia as well as installing multiple backdoors on devices in Ukraine.
The team has highlighted Secret Blizzard is using cyber attacks conducted by Russian threat actors as a vector of entry to install the Amadey bot malware and backdoors onto Ukrainian devices for espionage purposes.
Secret Blizzard is assessed to either purchase or steal points of entry onto Ukrainian devices from other Russia-aligned state sponsored threat actors in order to diversify its ability to monitor devices and conduct attacks.
Espionage and monitoring
The initial point of access for Secret Blizzard is usually conducted via spearphishing attacks before moving laterally through networks of interest via server-side and edge device compromise.
One access to a device is gained, Secret Blizzard was observed deploying a Powershell dropper via the Amadey malware-as-a-service (MaaS), which allows Secret Blizzard to see device configurations and collect information through a command and control (C2) server.
The Amadey would then gather and relay information on the type of antivirus software installed on the device, before installing two plugins on the target device that Microsoft Threat Intelligence theorizes are used to gather clipboard data and browser credentials.
Secret Blizzard would also seek out and target devices that use a Starlink IP address as a favoured target, before deploying a custom algorithm that allows the threat actor to steal data from the targeted device including the directory tree, system information, active sessions, IPv4 route table, SMB shares, enabled security groups, and time settings.
Microsoft Threat Intelligence also observed a cmd prompt being used to gather information from Windows Defender as to whether previous versions of the Amadey malware had been spotted on the system in order to gauge if the target device was of interest.
Secret Blizzard is actively adapting its attack techniques to specifically target Ukrainian military devices, with Microsoft assessing that footholds are likely being exploited to “escalate toward strategic access at the Ministry level.”
Microsoft recommends that those looking to mitigate against this particular attack vector should introduce attack vector reduction rules on Microsoft Defender XDR, enable network protection in Microsoft Defender for Endpoint, and turn on additional Microsoft defender settings such as PUA protection block mode, cloud-delivered protection, and real-time protection. A full list of mitigation strategies can be found on the Microsoft Threat Intelligence blog.