In the ongoing conflict between Russia and Ukraine, Russian hackers have taken an unexpected and alarming route to spy on Ukrainian military personnel. These hackers, belonging to a group referred to as Secret Blizzard, used tools and servers originally operated by other cybercrime groups. This unique tactic allowed them to infiltrate electronic devices used by Ukraine’s military forces, many of which were connected to Starlink internet services.
Russia’s Unusual Hacking Tactics
Instead of solely relying on traditional methods like phishing emails or exploiting security flaws, the hackers repurposed malware and servers that other threat actors had created. In one instance, they hijacked tools from a group known as Storm-1919, which typically used these tools for unrelated crimes, like mining cryptocurrency. By taking over this infrastructure, Secret Blizzard was able to deploy their own software and gain access to Ukrainian devices.
From March to April of 2024, Secret Blizzard used malware named Amadey, originally developed by Storm-1919. This malware was modified to install a new tool called Tavdig, a backdoor program used for gathering sensitive information from infected devices. Tavdig allowed the hackers to quietly monitor military activities and steal critical data.
Targeting Starlink-Connected Devices
Starlink, a satellite-based internet service, has been a vital tool for Ukraine’s military during the war. Many frontline military personnel use Starlink-connected devices to communicate and coordinate. Secret Blizzard found a way to identify and prioritize these devices as high-value targets.
Once the hackers infected a device, the malware would collect information such as user data, passwords, and network activity. They could even gather information about the software installed on the device. The malware was particularly dangerous because it targeted devices connected to Starlink IP addresses, a common feature of Ukrainian military communication tools.
The hackers used a PowerShell script, a tool often used by IT professionals, to drop additional malicious software onto the devices. This software was carefully crafted to operate without detection, giving the hackers full access to the compromised devices.
In one attack, they used a tool called a “dropper” to secretly install Tavdig. Tavdig collected critical information, including details about network connections and operating systems. This reconnaissance helped the hackers decide whether the infected device belonged to a high-priority target. If it did, they would install more advanced software for long-term spying.
Using Tools from Other Hackers to Target Starlink Devices
What made these attacks even more unusual was the way Secret Blizzard used resources from other hacking groups. For example, in January 2024, they hijacked tools from a group known as Storm-1837. This group typically targets drone operators in Ukraine, but Secret Blizzard repurposed their malware to infiltrate military devices.
The Storm-1837 malware used Telegram, a popular messaging app, to send commands to infected devices. Secret Blizzard modified this malware to download their Tavdig backdoor and another program called KazuarV2. These programs worked together to gather intelligence and maintain access to the compromised devices.
The method was both strategic and risky. By using tools from other groups, Secret Blizzard could hide their activities behind the digital footprints of others. However, this approach also increased the chances of their operations being discovered, as cybersecurity experts were able to trace the unusual mix of tools and techniques back to them.
In some cases, the hackers also used software from a Pakistan-based group called Storm-0156. They had first observed this technique in late 2022. Over the years, Secret Blizzard has been known to appropriate the tools of at least six other hacking groups. This method of stealing or purchasing access from other threat actors has become a deliberate strategy for conducting espionage.
A Highly Sophisticated Operation
The use of hijacked tools and repurposed malware shows how Secret Blizzard adapted to overcome challenges in accessing Ukrainian military networks. The group’s focus on devices connected to Starlink highlights the importance of this technology in Ukraine’s defense efforts.
These attacks underline how sophisticated cyber warfare has become in modern conflicts. Instead of relying on their own tools, threat actors like Secret Blizzard are finding new ways to leverage existing cybercrime infrastructure for military purposes.
By exploiting devices on the front lines, the hackers were able to gather crucial information that could impact the course of the conflict. The operation demonstrates the lengths to which state-sponsored hacking groups will go to achieve their objectives. The use of advanced malware, combined with the appropriation of third-party tools, has introduced a new layer of complexity to the digital battlefield.