For Russian spies, existing cybercrime tools become avenues into Ukrainian military devices

Kremlin-backed hackers have turned to an unconventional tactic to target Ukraine's military, researchers have found. In a recent campaign, the group known as Secret Blizzard hijacked tools and infrastructure from Russian cybercriminals, repurposing them for espionage.

The likely aim of this approach is to diversify the group's attack vectors, according to a new report by Microsoft. Other researchers have previously noted that this tactic also complicates attribution, allowing the group to shift blame to other threat actors if their malicious actions are uncovered.

Secret Blizzard, also tracked as Turla, has tried the strategy elsewhere before using it in Ukraine. Researchers have identified at least four instances where the group appeared to embed itself in another threat actor’s operations. Earlier in December, Microsoft detailed Secret Blizzard’s attacks on government-related targets in India and Afghanistan, conducted through the infrastructure used by the Pakistan-based cyber-espionage group.

In a report published Wednesday, Microsoft said it discovered two campaigns in which Secret Blizzard used the infrastructure of fellow threat actors to deploy custom malware on devices associated with the Ukrainian military.

Between March and April of this year, Secret Blizzard appropriated a tool called Amadey, which is associated with the cybercrime group Storm-1919, known for deploying cryptocurrency miners.

In this campaign, the Russian state-backed cyberspies used Amadey to gather information about the victim system, check for installed antivirus software, and later deploy the Tavdig backdoor to conduct further surveillance.

As part of this operation, Secret Blizzard targeted some of Ukraine’s military devices that communicate or transmit data over the internet using Starlink's satellite-based internet service, according to the report.

Microsoft said that Secret Blizzard either used the Amadey malware as a service or covertly accessed its infrastructure. The tool is sold for about $500 on Russian-speaking hacking forums.

In the second campaign, in January, Secret Blizzard used the backdoor of Storm-1837, another Russia-based threat actor that previously targeted Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors onto a target device in Ukraine. KazuarV2 is designed for long-term intelligence collection and data exfiltration.

Storm-1837 uses a range of backdoors, including Cookbox, as well as an Android backdoor impersonating a legitimate system used for AI processing, called Griselda.

It is not clear how successful these two campaigns were or what kind of data — if any — Secret Blizzard managed to obtain. The group, previously linked to Russia’s Federal Security Service (FSB), is known for stealing politically significant information, particularly advanced research.

Secret Blizzard has a history of targeting ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. During its operations, it collects and exfiltrates sensitive materials, including documents, PDFs and email content.