Russia takes unusual route to hack Starlink-connected devices in Ukraine
Russian nation-state hackers have followed an unusual path to gather intel in the country's ongoing invasion of Ukraineβappropriating the infrastructure of fellow threat actors and using it to infect electronic devices its adversaryβs military personnel are using on the front line.
On at least two occasions this year, the Russian hacking group, tracked under names including Turla, Waterbug, Snake, and Venomous Bear, has used servers and malware used by separate threat groups in attacks targeting front-line Ukrainian military forces, Microsoft said Wednesday. In one case, Secret Blizzardβthe name Microsoft uses to track the groupβleveraged the infrastructure of a cybercrime group tracked as Storm-1919. In the other, Secret Blizzard appropriated resources of Storm-1837, a Russia-based threat actor with a history of targeting Ukrainian drone operators.
The more common means for initial access by Secret Blizzard is spear phishing followed by lateral movement through server-side and edge device compromises. Microsoft said that the threat actorβs pivot here is unusual but not unique. Company investigators still donβt know how Secret Blizzard obtained access to the infrastructure.