cyberscoop.com

Turla living off other cybercriminals’ tools in order to attack Ukrainian targets

Skip to main content

Advertisement

Advertisement

Close

Listen to this article

0:00

Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Turla was able bypass traditional security measures and gain long-term access to Ukrainian military networks. (Getty Images)

A Russian nation-state threat actor has been observed leveraging tools from other cybercriminal groups to compromise targets in Ukraine, a recent report by Microsoft Threat Intelligence disclosed. This clandestine approach, which is the second time in as many weeks that Microsoft has highlighted the group’s effort, shows how Turla uses a wide range of attack vectors to infiltrate networks of its own country’s geopolitical interest.

Between March and April 2024, the group, which Microsoft refers to as Secret Blizzard, orchestrated a campaign targeting devices associated with the Ukrainian military. The group relied on the Amadey bot malware, typically linked to cybercriminal activity Microsoft tracks as Storm-1919.

This malware, originally used to deploy cryptocurrency miners, was co-opted by Turla to install backdoors known as Tavdig and KazuarV2. This set of malware allowed Turla to bypass traditional security measures and gain long-term access to Ukrainian military networks.

Microsoft noted that this was at least the second recorded instance since 2022 that the Russian groupused infrastructure being used by other cybercriminal groups to plant its malware. In another case from January 2024, Turla exploited a backdoor managed by Storm-1837, a Russian-aligned threat actor known for targeting Ukrainian drone pilots, to deploy similar malware.

Advertisement

The commandeering of other threat actors’ tools reflects Turla’s tactical shift toward hybrid espionage techniques. This includes using various cyber mechanisms, such as strategic web compromises, adversary-in-the-middle campaigns, and spear-phishing. Notably, these operations may be facilitated by legally mandated intercept systems within Russia.

Turla’s targets go beyond military installations, extending to foreign ministries, embassies, government offices, and defense companies worldwide. Last week, Microsoft and Lumen Technology’s Black Lotus Labs released research detailing how analysts caught Turla using networks associated with a Pakistani-based APT group for espionage operations aimed at Afghanistan and India.

Specialists attribute Turla, which is also known as Pensive Ursa or Waterbug, to Center 16 of Russia’s Federal Security Service (FSB).

Further analysis revealed that Turla was likely not in direct control of the command-and-control mechanisms operating the Amadey bots. Microsoft assesses that these could have been either purchased or hacked into — an example of a third-party access exploitation that grants Turla covert entry into sensitive networks.

This exploitation technique poses substantial challenges for organizational security postures, especially as Turla adapts its methods to include reconnaissance tools specifically designed for Ukrainian military devices. The toolset includes encrypted scripts and other reconnaissance tools, which are then used to escalate access to more strategic levels within Ukrainian military hierarchies.

Advertisement

You can read the full report on Microsoft’s website.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

In This Story

Advertisement

Advertisement

Advertisement

More Scoops

The Russian flag flies over the country’s embassy in Washington, D.C., on Feb. 16, 2024. (Photo by Brendan SMIALOWSKI / AFP)

Russian-linked Turla caught using Pakistani APT infrastructure for espionage

Both Microsoft and Lumen’s BlackLotus Labs found Turla spying on Afghanistan and India via Pakistani infrastructure.

By Greg Otto

NEW YORK, NY – Exterior view of the Microsoft Times Square building on January 29, 2023 in New York City. (Photo by Kena Betancur/VIEWpress)

Ransomware encryption down amid surge of attacks, Microsoft says

By AJ Vicens

Ukrainian security forces stand guard with shell-damaged buildings in the background in the northwestern Kyiv suburb of Borodyanka, Ukraine, on April 21, 2022. (Photo by Scott Peterson/Getty Images)

Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say

Latest Podcasts

Government

Technology

Advertisement

Continue to CyberScoop

Read full news in source page