Russia takes unusual route to hack Starlink-connected devices in Ukraine
Russian nation-state hackers have followed an unusual path to gather intel in the country’s ongoing invasion of Ukraine—appropriating the infrastructure of fellow threat actors and using it to infect electronic devices its adversary’s military personnel are using on the front line.
On at least two occasions this year, the Russian hacking group tracked under names including Turla, Waterbug, Snake, and Venomous Bear has used servers and malware used by separate threat groups in attacks targeting front-line Ukrainian military forces, Microsoft said Wednesday. In one case, Secret Blizzard—the name Microsoft uses to track the group—leveraged the infrastructure of a cybercrime group tracked as Storm-1919. In the other, Secret Blizzard appropriated resources of Storm-1837, a Russia-based threat actor with a history of targeting Ukrainian drone operators.
The more common means for initial access by Secret Blizzard is spear phishing followed by lateral movement through server-side and edge device compromises. Microsoft said that the threat actor’s pivot here is unusual but not unique. Company investigators still don’t know how Secret Blizzard obtained access to the infrastructure.
