Frequent freeloader: Russian actor using tools of other groups to attack Ukraine

Tags

External References

• https://www.microsoft.com/
• https://otx.alienvault.com/

Description

Russian nation-state actor Secret Blizzard has been observed using tools and infrastructure from other threat actors to compromise targets in Ukraine. Between March and April 2024, Secret Blizzard utilized the Amadey bot malware associated with cybercriminal activity to deploy its custom Tavdig and KazuarV2 backdoors on Ukrainian military devices. In January 2024, Secret Blizzard also leveraged a backdoor from Storm-1837, a Russia-based threat actor targeting Ukrainian drone pilots, to install its malware. This approach highlights Secret Blizzard's strategy of diversifying attack vectors and prioritizing access to military targets in Ukraine. The actor employs various techniques including strategic web compromises, adversary-in-the-middle campaigns, and spear-phishing for initial access.

Date