Russia takes unusual route to hack Starlink-connected devices in Ukraine

Russian hackers, identified as Secret Blizzard, have been employing an unconventional strategy to infiltrate Starlink-connected devices used by Ukrainian military personnel. This group has utilized the infrastructure and malware of other cybercriminal organizations to execute their attacks. Notably, they have leveraged resources from groups like Storm-1919 and Storm-1837 to target Ukrainian forces. Their primary method of access involves spear phishing, followed by lateral movement through compromised servers and devices. Microsoft reported that Secret Blizzard has used malware such as Amadey, typically associated with cryptojacking, to deploy a backdoor known as Tavdig for reconnaissance purposes. This malware collects sensitive information from devices, particularly those linked to Starlink, which is commonly used by Ukrainian troops. The group has also been observed using tools from other threat actors to enhance their espionage capabilities. Microsoft emphasizes that while this approach may be effective against less secure networks, it is less likely to succeed against well-defended systems. The report highlights a trend where Secret Blizzard has co-opted tools from at least six different threat groups over the past seven years, indicating a strategic shift in their operational methods.

- Russian hackers are using infrastructure from other cybercriminal groups to target Ukrainian military devices.

- Secret Blizzard has employed malware like Amadey and Tavdig for reconnaissance and data collection.

- The group's tactics include spear phishing and exploiting compromised servers.

- Microsoft notes that this method may be less effective against well-defended networks.

- Secret Blizzard has utilized tools from at least six different threat groups in recent years.