Microsoft confirms Ukrainian frontline was hit with hacks traced back to Russia

A group of hackers connected to the Russian government have launched cyber attacks at Starlink-connected infrastructure in Ukraine to target devices being used by Ukrainian soldiers on the frontline. Microsoft has confirmed the infrastructure has been compromised, and currently, investigators still don't know what vulnerability was exploited.

2

Microsoft has labeled the group as "Secret Blizzard," and according to reports and the latest Microsoft Security blog post, in at least one instance this year when Ukrainian frontline devices were targeted, Secret Blizzard used infrastructure created by a cybercrime group Microsoft tracks as Storm-1919. In another instance,e Secret Blizzard leveraged infrastructure from another group called Storm-1837, a Russian-based cybercrime group that targets Ukrainian drone operations.

So, how did they gain access to the infrastructure? Microsoft explains the cybercriminals between March and April this year used a bot swarm attack to install the XMRIG cryptocurrency app on targeted servers. Typically, hackers will install this malware and then use the device's resources to mine a cryptocurrency, which they then sell online for real money. However, Microsoft writes the ultimate objective of bot swarm malware was to install Tavdig, a backdoor Secret Blizzard used to conduct reconnaissance on the target device.

Microsoft explains when Secret Blizzard identifies an individual as a high-value target, it deploys the Tavdig backdoor and collects valuable user information such as browser passwords, user information, netstat, installed patches, registry settings, and more.

"Microsoft assesses that Secret Blizzard either used the Amadey malware as a service (MaaS) or accessed the Amadey command-and-control (C2) panels surreptitiously to download a PowerShell dropper on target devices," Microsoft said. "The PowerShell dropper contained a Base64-encoded Amadey payload appended by code that invoked a request to Secret Blizzard C2 infrastructure."

Adding, Tavdig would also result in additional reconnaissance software being installed on devices "of further interest by the threat actor-for example, devices egressing from STARLINK IP addresses, a common signature of Ukrainian front-line military devices."