Turla living off other cybercriminals’ tools in order to attack Ukrainian targets
A Russian nation-state threat actor has been observed leveraging tools from other cybercriminal groups to compromise targets in Ukraine, a recent report by Microsoft Threat Intelligence disclosed. This clandestine approach, which is the second time in as many weeks that Microsoft has highlighted the group’s effort, shows how Turla uses a wide range of attack vectors to infiltrate networks of its own country’s geopolitical interest.
Between March and April 2024, the group, which Microsoft refers to as Secret Blizzard, orchestrated a campaign targeting devices associated with the Ukrainian military. The group relied on the Amadey bot malware, typically linked to cybercriminal activity Microsoft tracks as Storm-1919.
This malware, originally used to deploy cryptocurrency miners, was co-opted by Turla to install backdoors known as Tavdig and KazuarV2. This set of malware allowed Turla to bypass traditional security measures and gain long-term access to Ukrainian military networks.
Microsoft noted that this was at least the second recorded instance since 2022 that the Russian groupused infrastructure being used by other cybercriminal groups to plant its malware. In another case from January 2024, Turla exploited a backdoor managed by Storm-1837, a Russian-aligned threat actor known for targeting Ukrainian drone pilots, to deploy similar malware.
The commandeering of other threat actors’ tools reflects Turla’s tactical shift toward hybrid espionage techniques. This includes using various cyber mechanisms, such as strategic web compromises, adversary-in-the-middle campaigns, and spear-phishing. Notably, these operations may be facilitated by legally mandated intercept systems within Russia.
Turla’s targets go beyond military installations, extending to foreign ministries, embassies, government offices, and defense companies worldwide. Last week, Microsoft and Lumen Technology’s Black Lotus Labs released research detailing how analysts caught Turla using networks associated with a Pakistani-based APT group for espionage operations aimed at Afghanistan and India.
Specialists attribute Turla, which is also known as Pensive Ursa or Waterbug, to Center 16 of Russia’s Federal Security Service (FSB).
Further analysis revealed that Turla was likely not in direct control of the command-and-control mechanisms operating the Amadey bots. Microsoft assesses that these could have been either purchased or hacked into — an example of a third-party access exploitation that grants Turla covert entry into sensitive networks.
This exploitation technique poses substantial challenges for organizational security postures, especially as Turla adapts its methods to include reconnaissance tools specifically designed for Ukrainian military devices. The toolset includes encrypted scripts and other reconnaissance tools, which are then used to escalate access to more strategic levels within Ukrainian military hierarchies.
You can read the full report on Microsoft’s website.
