A recent report by Microsoft has shed light on a sophisticated hacking campaign carried out by a Russian-government backed group, known as Secret Blizzard, which targeted Ukraine's military using tools and infrastructure developed by cybercriminals. This alarming development highlights the increasing trend of nation-state hackers leveraging cybercriminal resources to carry out espionage activities.

The hacking campaign, which took place between March and April of this year, utilized a botnet known as Amadey, allegedly sold on Russian hacking forums and developed by a cybercriminal group. Microsoft researchers believe that Secret Blizzard either purchased access to the botnet as a malware-as-a-service or hacked into it to gain control. The primary goal of the hackers was to evade detection, and using commodity tools allowed them to potentially hide their origin and make attribution more difficult.

According to Microsoft's report, Secret Blizzard targeted computers related to the Ukrainian Army and Ukrainian Border Guard, deploying malware designed to gather information about a victim's system. The hackers used custom backdoors called Tavdig and KazuarV2, which have never been seen used by other groups, further solidifying the attribution to Secret Blizzard. The malware was used to determine whether the targets were "of further interest," and in some cases, targeted devices using Starlink, SpaceX's satellite service, which has been used by the Ukrainian military in their operations fighting invading Russian forces.

This is not the first time Secret Blizzard has used cybercrime campaigns to facilitate footholds for its own malware in Ukraine. Microsoft's report notes that this is at least the second time since 2022 that the group has employed this tactic. Secret Blizzard is known to target "ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide" with a focus on long-term espionage and intelligence collection.

The report also highlights a concerning trend in cyberespionage, where nation-state hackers are co-opting the tools and infrastructure of other hacking groups to carry out their activities. Last week, Microsoft and security firm Black Lotus Lab published reports showing how Secret Blizzard has piggybacked on a Pakistan-based hacking group to target military and intelligence targets in Afghanistan and India. This technique, which has been employed by Secret Blizzard since 2017, involves taking advantage of other hackers' tools and infrastructure, making attribution even more challenging.

The Russian embassy in Washington, D.C., and the FSB did not respond to requests for comment on the matter. As the Russia-Ukraine conflict continues to escalate, the cyber warfare aspect of the conflict is becoming increasingly important, and this latest development underscores the need for heightened vigilance and cooperation in the cybersecurity community.

The incident also raises questions about the role of cybercriminals in facilitating nation-state hacking activities. As the lines between cybercrime and cyberespionage continue to blur, it is essential to understand the motivations and tactics of these groups to develop effective countermeasures. Microsoft's report serves as a timely reminder of the evolving nature of cyber threats and the need for sustained efforts to combat them.