Russian state-sponsored hackers have adopted an unconventional strategy to infiltrate Ukrainian military devices connected to Starlink, according to a new report from Microsoft. Instead of using their traditional methods, the hacking group known as Secret Blizzard (also called Turla or Snake) has been hijacking the infrastructure of other cybercrime groups to conduct their operations.
The attacks specifically targeted front-line Ukrainian military personnel using Starlink-connected devices. Microsoft revealed that Secret Blizzard compromised the servers and malware of two separate threat groups - Storm-1919 and Storm-1837 - to gain access to these military targets.
In one notable campaign between March and April, the Russian hackers utilized Amadey, a malware bot typically employed by Storm-1919 for cryptocurrency mining attacks. Through this appropriated tool, Secret Blizzard deployed a backdoor called Tavdig to conduct reconnaissance on devices showing Starlink IP addresses - a common identifier of Ukrainian military equipment.
The hackers showed particular interest in gathering intelligence from military hardware, collecting information like user data, network status, and system configurations. When high-value targets were identified, additional tools were deployed to deepen the infiltration.
This tactical shift represents a departure from Secret Blizzard's usual approach of using phishing emails for initial access. Microsoft's investigation has not yet determined exactly how the Russian group gained control of the other hackers' infrastructure.
The report indicates this is part of a broader pattern, with Secret Blizzard having leveraged tools and infrastructure from at least six different hacking groups over the past seven years. While this approach has proven effective against some targets, Microsoft notes it may be less successful against networks with robust security measures.
Note: Only one link was inserted as it was the only one directly relevant to Russian state-sponsored hacking activities mentioned in the article. The other provided links discussed different hacking groups and campaigns not related to Secret Blizzard/Turla/Snake or the Starlink device targeting campaign.