Secret Blizzard

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities were emulated in this year's ATT&CK® Evaluations, highlighting their sophisticated techniques. They have recently gained notoriety for targeted attacks against the defense sector in Ukraine and Eastern Europe, leveraging DeliveryCheck, a novel .NET backdoor used to deliver various second-stage payloads. In July 2023, Microsoft Threat Intelligence reported that Secret Blizzard had initiated targeted attacks on Microsoft Exchange servers. Post initial infection, the group deploys open-source tools such as rclone to collect and exfiltrate files. In some instances, they deploy a fully-featured Secret Blizzard implant known as Kazuar. This cyberespionage tool enables the threat actors to execute JavaScript, extract data from event logs, and steal credentials from various programs including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. The group's tactics, techniques, and use of Kazuar malware link them confidently to Russia's FSB-led group. These distinctive characteristics were noted by CERT-UA, reinforcing the association between Secret Blizzard and Russia's FSB. Furthermore, Secret Blizzard, along with another hacker group Forest Blizzard, attempted to access an IT provider in Poland that serves sensitive sectors. This highlights the group's ongoing threats to global cybersecurity, necessitating vigilant monitoring and robust countermeasures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Turla
2
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Deliverycheck
1
DeliveryCheck is a novel .NET-based malware that has been identified by Microsoft's Threat Intelligence as being used in targeted attacks against the defense sector in Ukraine and Eastern Europe. The threat actor behind these attacks is known as Secret Blizzard (also referred to as KRYPTON or UAC-00
Krypton
1
Krypton, also known as Secret Blizzard or UAC-0003, is a significant threat actor that has been associated with Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since at least 2004, targeting diplomatic and government organizations as well as priva
Turla Group
1
The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissa
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Microsoft
Backdoor
Malware
Apt
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KazuarUnspecified
2
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Forest BlizzardUnspecified
1
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
STRONTIUMUnspecified
1
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Secret Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise  | Microsoft Security Blog
CERT-EU
a year ago
Hackers Turn Exchange Servers into Malware Command & Control Centers
BankInfoSecurity
a year ago
Russian Hackers Probe Ukrainian Defense Sector With Backdoor
DARKReading
a year ago
Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine