Threat Overview

AlienVault has recently published a threat report highlighting the activities of a nation-state actor known as Secret Blizzard. This actor group, associated with Russia, has been observed using tools and infrastructure from other malicious actors to compromise targets in Ukraine.

Background

In between March and April 2024, Secret Blizzard utilised the Amadey bot malware associate with cybercriminal activity for deployment purposes as well. Moreover, in January 2024, Secret Blizzard leveraged a backdoor from Storm-1837 to install its malware.

Scope

The attack was conducted against Ukrainian military targets and involved multiple attack vectors including strategic web compromises, adversary-in-the-middle campaigns, and spear-phishing for the initial access.
Tactics, Techniques, and Procedures (TTPs)
Secret Blizzard’s approach to attacking targets is diverse and innovative. The actor employs various techniques including:

Strategic Web Compromises: Targeting websites and domains belonging to Ukrainian military institutions.
Adversary-in-the-Middle: Intercepting communications between servers, devices, or networks.

Access Vector

Secret Blizzard utilized Amadey bot malware associated with cybercriminal activity for deployment purposes. Additionally, in January 2024, Secret Blizzard leveraged a backdoor from Storm-1837 to install its malware.
Prior exploitation techniques used by the actor include:
Amadey Bot Malware: The amadey bot malware was exploited for deployment purposes as well. This malware is also associated with cybercriminal activity and provides the attacker with malicious code for compromise.

Tools and Infrastructure Used

Secret Blizzard has used tools and infrastructure from other threat actors, including:

Tavdig and KazuarV2 Backdoors: The Tavdig and KazuarV2 backdoors were employed by the actor to deploy its custom malware on Ukrainian military devices.

Techniques Exploited for Execution of Attacks

The actor relies on various techniques such as spear-phishing to gain initial access.

Nigerian scams and spoofing attacks are frequently used by cyber attackers, including adversary groups who want to infiltrate networks remotely without revealing their intent. This technique can be employed to trick users into divulging sensitive information.

Spear phishing is often used by adversary groups to bypass security defenses. This technique is employed to trick users into divulging sensitive information which helps to execute further attacks and exploits.

Tactics, Techniques, and Procedures (TTPs) are an extremely effective method of achieving the goals of your attack vector.

• • An attacker can intercept sensitive communications such as passwords and encryption keys if they employ the adversary in the middle tactic
    By employing the adversary-in-the-middle method the attackers are able to prevent encryption protocols from occurring. The intercepted messages are therefore available for review. The adversary could either forward a message to the recipient or pretend to be an intermediary who has received but not sent the message.Adversary-in-the-Middle: Intercepting communications between servers, devices, or networks.Tactical advantages of these tactics include:
• Consequences of using these attacks on sensitive network operations can be disastrous for your targeted organization.

• Protecting yourself against such sophisticated attack methods can seem daunting, however it is essential not to be caught off guard.

• The consequences range from data theft and loss, through the exploitation of sensitive information or complete takeover of network systems.

• A successful breach of a major organization’s secure system could result in huge financial gains, both for your hackers and their employers if sold on the black market.

Initial Access

Spear phishing is often used by adversary groups to bypass security defenses. This technique is employed to trick users into divulging sensitive information which helps to execute further attacks and exploits.

• Initial access refers to the stage of engagement that provides attackers with safe passage towards their target networks. Once this critical phase has been breached, the attacker can begin exploitation via a network using various tools and techniques. The purpose being to manipulate systems to their advantage.Consequences on organizationThe outcome is catastrophic. Loss or theft of sensitive data could happen, including information that was believed to be secure.
• A successful breach of a major organization’s secure system would result in huge financial gains for both hackers and their employers if the stolen information was sold on the black market.Protecting against these types of attacks can seem daunting, however it is essential not to be caught off guard.
• Spear phishing is a type of attack used by cyber attackers, where only specific individuals are targeted with emails that may contain malicious links or attachments. This email often contains misleading information or fake updates from a trusted source such as an IT administrator.Why do they target like this?

  It’s because they know exactly which companies are using the most popular software, and therefore use these platforms when launching a targeted attack.

• Social engineering is the process of manipulating people into divulging confidential information. The attacker may play on emotions, exploiting perceived authority, fear, or sense of urgency to trick victims into doing their bidding.

Recommendations

Based on the threat report, several recommendations can be made for improving cybersecurity posture:

Monitor activity from known adversary groups, such as Storm-1837.

Implementing robust security controls and protocols helps protect an organization’s sensitive assets in these advanced threats. Regularly updating your software packages is also recommended to prevent exploitation by zero-day vulnerabilities, or through the exploitation of newly discovered vulnerabilities and bugs.

Regular maintenance and monitoring can identify vulnerabilities. An organization should have multiple layers of protection against their threat vector as well. Firewalls and intrusion detection systems are some examples.

Cybersecurity Tips:

One of the most effective methods in preventing cyber security threats is to implement robust security measures such as multi factor authentication, two factor login, firewalls and more.

• Network segmentation: Divide larger networks into smaller segments, isolating sensitive systems.
  Tips from experts
  Experts advise regularly backing up critical data and utilizing a strong antivirus program. In addition to this consider purchasing a reputable third party service provided by a threat intelligence expert.
• Training for employees: Educate network users on phishing tactics, safe browsing practices, how to use email programs correctly and how to respond in case of social engineering threats.A well-trained staff is able to spot fake calls more easily and avoid falling for these tactics completely. The threat vector can therefore be greatly diminished.
  • Employer-mandated cybersecurity training, software updates, regular security audits are the best course of action.

Cyber Security Awareness Month
is recognized internationally as an occasion to increase security measures in protecting sensitive data that could provide the advantage over competitors.