Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Government
Secret Blizzard Utilizes Third-Party Amadey Bots to Compromise Ukrainian Military Devices
A state-sponsored hacking group from Russia, identified as Center 16 of the Federal Security Service (FSB), has reportedly employed third-party data-stealing bots and possibly a backdoor associated with another hacking group to penetrate and surveil devices used by Ukrainian frontline military units. Operating under the name Secret Blizzard, this group was responsible for a serious breach that occurred between March and April 2024.
Microsoft attributed this espionage campaign to Secret Blizzard, stating that the group utilized the widely-known Amadey malware to establish PowerShell backdoors on their targets. This multifaceted operation featured a painstaking three-stage surveillance method aimed at collecting sensitive information from the devices.
Initially, the group leveraged Amadey bots to gather crucial device data, including names, administrator status, and antivirus codes. Following this, they deployed a reconnaissance tool targeting devices associated with Starlink IP addresses, particularly within the Ukrainian military’s ranks.
The final phase of their operation involved an executable file named “procmap.exe,” which allowed the deployment of the Tavdig backdoor payload, enabling further data collection regarding network connections, stored information, and communication logs. This was complemented by the KazuarV2 backdoor, facilitating advanced surveillance capabilities on the compromised devices.
Microsoft’s alert reflects ongoing concerns regarding Secret Blizzard, also known as the Venomous Bear, Snake, or Turla APT group. Earlier, Microsoft highlighted a remarkable incident involving the hijacking of a Pakistan-based espionage network, known as Storm-0156, where Secret Blizzard established backdoors on targeted devices globally. Notably, their targets included significant governmental entities in Afghanistan.
Established for over two decades, Secret Blizzard operates from Ryazan, near Moscow, specializing in covert operations against foreign government systems, seeking valuable intelligence for the Kremlin. The recent surveillance campaign coincided with other threat actors deploying cryptocurrency miners, highlighting a trend where complex malware is frequently utilized concurrently for diverse cyber objectives.
It is speculated that the group employed spear-phishing techniques to entice military personnel into executing the Amadey bots on their devices. Historically, Secret Blizzard has taken advantage of spear-phishing as a primary entry point, subsequently compromising server-side systems to manipulate networks surreptitiously.
The reconnaissance tool employed in this operation incorporated an RC4 encryption algorithm to collect extensive data from affected devices, which was then sent back to Secret Blizzard’s command-and-control infrastructure. This tool was also capable of determining whether Microsoft Defender was enabled on targeted devices or had previously detected any Amadey-related activities.
Researchers have observed that Secret Blizzard’s tactics closely mirror those of another Russian threat group, Storm-1837, which also compromised Ukrainian military devices in early 2024. The parallels suggest a coordinated approach among Russian state-sponsored actors, each exploiting vulnerabilities within the Ukrainian defense infrastructure.
Such incidents underscore the critical necessity for businesses to remain vigilant in their cybersecurity practices, particularly as nation-state threats continue to evolve in sophistication and target clarity. The integration of frameworks like MITRE ATT&CK aids in understanding the tactical landscape, emphasizing the need for strategic defenses against emerging cyber threats.
