### Secret Blizzard: The Russian Hacker Collective Utilizing Others’ Instruments for Espionage
In the landscape of cyber warfare, creativity and the ability to adapt are critical characteristics that determine the effectiveness of threat actors. One such collective, identified as **Secret Blizzard**, has adopted an unorthodox methodology for cyber espionage, especially visible in its activities against Ukraine amidst the ongoing conflict. By commandeering the tools and frameworks of various other threat actors, Secret Blizzard has showcased a distinctive and inventive strategy to fulfill its goals. Over the past seven years, reports from Microsoft and Lumen’s Black Lotus Labs indicate that this Russian state-sponsored hacking group has harnessed the assets of at least six other entities.
—
### **A Novel Form of Cyber Espionage**
Secret Blizzard, also recognized by aliases such as **Turla**, **Waterbug**, **Snake**, and **Venomous Bear**, has been noted for appropriating the infrastructure and malware from other threat actors to target Ukrainian military personnel. This strategy, though not completely new, is remarkable due to its scope and intentional execution. By using resources from other factions, Secret Blizzard not only conceals its own maneuvers but also gains entry into pre-existing points of access in target systems.
For example, in 2024, Secret Blizzard exploited the infrastructure of two distinct groups—**Storm-1919** and **Storm-1837**—to infiltrate devices utilized by Ukrainian front-line military units. These actions highlight the group’s emphasis on military targets and its commitment to intelligence gathering and reconnaissance.
—
### **Operational Tactics of Secret Blizzard**
Secret Blizzard typically initiates access through **spear phishing** campaigns, followed by movement laterally across compromised servers and edge devices. However, its recent shift to employing third-party tools and resources represents a marked change in its standard tactics. Microsoft researchers are still investigating how Secret Blizzard accesses these external resources, with possibilities including covert theft or procurement through underground cyber markets.
#### **Case Study 1: Storm-1919 Infrastructure**
In the period from March to April 2024, Secret Blizzard tapped into **Amadey**, a bot typically employed by Storm-1919 for cryptojacking endeavors. Cryptojacking refers to exploiting victims’ computing power to mine cryptocurrency, but Secret Blizzard repurposed Amadey for espionage purposes. The group deployed malware to launch a PowerShell dropper on targeted devices, which subsequently installed a reconnaissance tool named **Tavdig**. Tavdig enabled Secret Blizzard to gather critical data, including user credentials, network setups, and installed updates.
Notably, the Amadey bot also aimed at devices connected to **Starlink**, a satellite internet service prominently used by Ukrainian military personnel. This illustrates Secret Blizzard’s focus on high-stakes targets and its capacity to adapt its tools to particular operational requirements.
#### **Case Study 2: Storm-1837 Infrastructure**
In January 2024, Secret Blizzard exploited a backdoor linked to Storm-1837, a Russia-based group notorious for targeting Ukrainian drone operators. The backdoor utilized the **Telegram API** to establish remote connections and retrieve additional payloads. Following this, Secret Blizzard installed its Tavdig backdoor, alongside a more sophisticated tool dubbed **KazuarV2**, which granted enduring access to the compromised systems.
—
### **Wider Implications**
Secret Blizzard’s method of hijacking third-party tools and infrastructures provides numerous benefits. First, it helps the group obscure its activities, complicating attribution for defenders. Second, it allows them to bypass certain initial barriers to access as they can exploit pre-existing entry points established by other factions. However, this method has its drawbacks.
Microsoft’s evaluations indicate that while this tactic is effective against less-secured networks, it is less advantageous against fortified systems with strong endpoint and network defenses. The presence of tools from multiple threat actors within a single network can heighten the chances of detection, as defenders may spot irregular activity patterns.
—
### **An Opportunistic Pattern**
The utilization of third-party tools by Secret Blizzard extends beyond its operations in Ukraine. In late 2022, Microsoft noted that the group capitalized on tools from **Storm-0156**, a Pakistan-based threat actor, to target organizations in South Asia. This opportunistic trend—whether through theft, acquisition, or other methods—has become a defining feature of Secret Blizzard’s operations.
Overall, Microsoft has identified a minimum of six instances over the past seven years where Secret Blizzard has employed the resources of other groups. This calculated and intentional strategy emphasizes the group’s flexibility and its motivation to attain strategic goals through unorthodox methods.
—
### **Conclusion**
The actions of Secret Blizzard reveal the dynamic nature of cyber warfare and the growing intricacy of attribution and defense. By appropriating the tools and infrastructure of other threat actors, this group has displayed a crafty and opportunistic modus operandi for espionage. While this strategy presents certain advantages, it also entails risks, especially in
