Microsoft says Russia is hacking Ukrainian military tech by stealing points 
of entry from third-parties

Date:
Wed, 11 Dec 2024 17:00:00 +0000

Description:
Microsoft Threat Intelligence has observed Secret Blizzard using attack
vectors gained by other threat actors to compromise Ukrainian military
devices.

FULL STORY

Microsoft Threat Intelligence has revealed notorious Russian threat actor
Secret Blizzard has been working with other cybercriminals to conduct
espionage on targeted organizations of interest in South Asia as well as
installing multiple backdoors on devices in Ukraine. 

The team has highlighted Secret Blizzard is using cyber attacks conducted by
Russian threat actors as a vector of entry to install the Amadey bot malware
and backdoors onto Ukrainian devices for espionage purposes. 

Secret Blizzard is assessed to either purchase or steal points of entry onto
Ukrainian devices from other Russia-aligned state sponsored threat actors in
order to diversify its ability to monitor devices and conduct attacks.

Espionage and monitoring 

The initial point of access for Secret Blizzard is usually conducted via
spearphishing attacks before moving laterally through networks of interest 
via server-side and edge device compromise. 

One access to a device is gained, Secret Blizzard was observed deploying a
Powershell dropper via the Amadey malware-as-a-service (MaaS), which allows
Secret Blizzard to see device configurations and collect information through 
a command and control (C2) server. 

The Amadey would then gather and relay information on the type of antivirus
software installed on the device, before installing two plugins on the target
device that Microsoft Threat Intelligence theorizes are used to gather
clipboard data and browser credentials. 

Secret Blizzard would also seek out and target devices that use a Starlink IP
address as a favoured target, before deploying a custom algorithm that allows
the threat actor to steal data from the targeted device including the
directory tree, system information, active sessions, IPv4 route table, SMB
shares, enabled security groups, and time settings. 

Microsoft Threat Intelligence also observed a cmd prompt being used to gather
information from Windows Defender as to whether previous versions of the
Amadey malware had been spotted on the system in order to gauge if the target
device was of interest. 

Secret Blizzard is actively adapting its attack techniques to specifically
target Ukrainian military devices, with Microsoft assessing that footholds 
are likely being exploited to escalate toward strategic access at the 
Ministry level. 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsoft-says-russia-is-hacking-ukrain
ian-military-tech-by-stealing-points-of-entry-from-third-parties

$$
--- SBBSecho 3.20-Linux