By Eliza Popova
They found that the group known as Secret Blizzard, Turla, Waterbug, Snake and Venomous Bear used servers and malicious software of other hacker organizations, in particular, Storol-1837, involved in tracking Ukrainian drones. It is unknown how she got access to this infrastructure was probably stolen or accessed. From March to April 2024, Secret Blizzard used Amadey malicious software related to the Storm-1919 group to defeat the devices of the Ukrainian army with the Powershell Droper.
The ultimate goal was to set a "backdow" to find interesting goals. In one of Amdey Microsoft's bot, the information collected from the buffers of devices and passwords from browsers was found. In addition, the software checked the presence of antiviral programs.
He then installed a special reconnaissance tool that selectively unfolded on devices that were interested in hackers, for example, on laptops that connect to the Starlink Satellite Internet - they use the forces of Ukraine massively on the fronts. After that, the Russians installed the Tavdig virus to collect valuable user information and install their own settings.
In January 2024, the Microsoft Corporation noticed a military device in Ukraine, broken by the Storm-1837 virus, set to use the Telegram API to start the commissioning command (provided as parameters) for an account on the Mega file platform. He probably forced the affected system to download and run files. Microsoft drew attention: then used Powershell Droper, very similar to the one that was observed when using Amadey bots and contained two files in Base64 coding that contained Tavdig (Rastls.
dll) and Binary File Symantec (Kavp. exe) . According to experts, Secret Blizzard has launched tools on the affected means and embedded new functions in them to make them more effective for spying a nursing Ukrainian military. In addition, Secret Blizzard probably also tried to use these points to extend access to the ministry. To protect the networks, users were recommended to turn on and set up the Microsoft Defender protective application.
English
Українська
USA
Français
Deutsch
Italiano
Polski
Čeština
Español
Slovensku
