Russian Turla hackers hit Starlink-connected devices in Ukraine

Russian Turla hackers hit Starlink-connected devices in Ukraine

December 11, 2024 at 01:56PM

Russian cyber-espionage group Turla, also known as “Secret Blizzard,” is targeting Ukrainian military devices via Starlink by leveraging infrastructure from other threat actors, like Storm-0156 and Storm-1837. Their operations involve deploying custom malware, including Tavdig and KazuarV2, to gather intelligence on military activities.

### Meeting Takeaways: Turla Cyber Operations Targeting Ukraine

1. **Overview of Turla’s Operations**:
– Turla, also known as “Secret Blizzard,” is a Russian cyber-espionage group linked to the FSB.
– The group is exploiting the infrastructure of other threat actors, specifically targeting Ukrainian military devices connected via Starlink.

2. **Collaboration with Other Threat Actors**:
– Microsoft and Lumen have identified that Turla is hijacking and using the malware and servers of the Pakistani threat actor Storm-0156.
– In a recent operation, Turla used the Amadey botnet and resources from another Russian group, Storm-1837, to deploy its custom malware.

3. **Details of the Latest Campaign**:
– The campaign involved phishing emails with malicious attachments and utilized backdoors from Storm-1837 for initial access.
– Microsoft is investigating whether Turla gained access to the Amadey botnet through hijacking or purchasing.

4. **Methodology**:
– Initial access is obtained via the Amadey botnet, which has been active since 2018 for malware delivery.
– Custom reconnaissance tools, including batch files, are used to collect information on target devices, specifically those using Starlink.

5. **Targeting of Starlink Devices**:
– Turla specifically targets military devices using Starlink to gather critical intelligence on Ukrainian military activities.

6. **Link to Storm-1837**:
– Turla has been identified using Storm-1837’s PowerShell backdoor ‘Cookbox’ to facilitate further attacks, indicating potential collaboration or exploitation of Storm-1837’s capabilities.

7. **Malware Components**:
– Key malware families include:
– **Tavdig**: Lightweight backdoor for initial access and surveillance, capable of gathering sensitive information.
– **KazuarV2**: An advanced, stealthy backdoor for long-term intelligence collection and data exfiltration.

8. **Defensive Recommendations**:
– Microsoft has provided guidelines and hunting queries to help defenders mitigate risks associated with these Turla operations.

### Action Items:
– Review Microsoft’s proposed mitigations and tools for detecting Turla’s malware.
– Stay updated on new reports and findings related to Turla and associated threat actors.
– Consider collaboration with cybersecurity experts to enhance monitoring of potential threats from this group.

Full Article