Focus Mode
Threat Research

Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog

Securonix
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog
Microsoft Threat Intelligence has reported on the Russian nation-state actor Secret Blizzard, which has been using co-opted tools and infrastructure from other threat actors to conduct espionage activities against targets in Ukraine. The campaigns have involved the deployment of custom malware, including the Tavdig and KazuarV2 backdoors, often facilitated through cybercriminal tools like Amadey bot malware. The article highlights the strategic use of various attack vectors, including spear phishing and web compromises, to gain long-term access to sensitive military and governmental systems. Affected: Ukraine, Russian Federation

Keypoints :

  • Secret Blizzard has compromised targets in Ukraine using co-opted tools from other threat actors.
  • Custom malware deployed includes Tavdig and KazuarV2 backdoors.
  • Amadey bot malware was used to download backdoors onto military devices.
  • Secret Blizzard employs various attack vectors, including spear phishing and watering hole attacks.
  • The actor targets military and governmental sectors for intelligence collection.
  • Microsoft assesses that Secret Blizzard is linked to Russia’s Federal Security Service (FSB).
  • Microsoft provides notifications to customers targeted by Secret Blizzard.
  • Mitigation strategies include strengthening Microsoft Defender configurations.

MITRE Techniques :

  • TA0001 – Initial Access: Spear Phishing (using malicious attachments or links).
  • TA0002 – Execution: Command and Scripting Interpreter (PowerShell used for executing malicious scripts).
  • TA0005 – Defense Evasion: Obfuscated Files or Information (using encoded PowerShell commands).
  • TA0007 – Discovery: System Information Discovery (collecting system information and active sessions).
  • TA0011 – Command and Control: Application Layer Protocol (using C2 servers for communication).

Indicator of Compromise :

  • [domain] citactica[.]com
  • [domain] icw2016[.]coachfederation[.]cz
  • [domain] hospitalvilleroy[.]com[.]br
  • [file name] procmap.exe
  • [file hash] d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea
  • Check the article for all found IoCs.

Full Story: https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/

Tags: PERSISTENCE, PHISHING, BACKDOOR, DISCOVERY, DEFENSE EVASION, TOOL, RUSSIA, SOCIAL MEDIA