The Russian state-sponsored threat actor Secret Blizzard, also known as Turla, has been identified leveraging the Amadey malware-as-a-service (MaaS) platform to infiltrate systems associated with the Ukrainian military. According to Microsoft, this campaign, which occurred between March and April 2024, represents a sophisticated effort to deploy the Kazuar backdoor using existing cybercrime tools. This marks at least the second instance since 2022 where Secret Blizzard has co-opted third-party malware infrastructure to execute its espionage activities in Ukraine.
The attack chain began with the deployment of Amadey bots to install a PowerShell dropper encoded with a command-and-control (C2) URL controlled by Turla. This dropper facilitated reconnaissance on compromised systems, gathering details such as the presence of Microsoft Defender, to identify high-value targets. After reconnaissance, the attackers proceeded to deploy Tavdig, a backdoor used to enable additional data collection and pave the way for Kazuar, an updated version of which was previously documented in 2023. This intricate sequence reflects the group’s emphasis on precision targeting and operational obfuscation.
What sets this campaign apart is Secret Blizzard’s reliance on pre-existing malware services and infrastructures, such as Amadey and the COOKBOX PowerShell backdoor linked to another Russia-based group, Flying Yeti. By hijacking access provided by other threat actors, the group effectively obscures its operations and frustrates attribution efforts. Microsoft noted that this tactic, while not unprecedented, is rarely executed with such complexity. It demonstrates Secret Blizzard’s ability to exploit cybercrime networks for state-sponsored objectives.
This campaign underscores the evolving dynamics of cyber espionage, where nation-state actors increasingly rely on third-party malware ecosystems to achieve their goals. By using tools like Amadey, Secret Blizzard can rapidly scale its operations while maintaining a layer of plausible deniability. The findings highlight the growing intersection of cybercrime and state-sponsored hacking, emphasizing the need for enhanced vigilance and collaboration among cybersecurity stakeholders to defend against these multifaceted threats.
Reference:
