Secret Blizzard

Threat Actor updated 7 months ago (2024-05-04T19:02:45.751Z)

Download STIX

Preview STIX

Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities were emulated in this year's ATT&CK® Evaluations, highlighting their sophisticated techniques. They have recently gained notoriety for targeted attacks against the defense sector in Ukraine and Eastern Europe, leveraging DeliveryCheck, a novel .NET backdoor used to deliver various second-stage payloads. In July 2023, Microsoft Threat Intelligence reported that Secret Blizzard had initiated targeted attacks on Microsoft Exchange servers. Post initial infection, the group deploys open-source tools such as rclone to collect and exfiltrate files. In some instances, they deploy a fully-featured Secret Blizzard implant known as Kazuar. This cyberespionage tool enables the threat actors to execute JavaScript, extract data from event logs, and steal credentials from various programs including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. The group's tactics, techniques, and use of Kazuar malware link them confidently to Russia's FSB-led group. These distinctive characteristics were noted by CERT-UA, reinforcing the association between Secret Blizzard and Russia's FSB. Furthermore, Secret Blizzard, along with another hacker group Forest Blizzard, attempted to access an IT provider in Poland that serves sensitive sectors. This highlights the group's ongoing threats to global cybersecurity, necessitating vigilant monitoring and robust countermeasures.

Description last updated: 2024-05-04T17:08:23.141Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Turla is a possible alias for Secret Blizzard. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Implant

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Kazuar Malware is associated with Secret Blizzard. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and	Unspecified	2

Source Document References

Information about the Secret Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise \| Microsoft Security Blog
CERT-EU	a year ago	Hackers Turn Exchange Servers into Malware Command & Control Centers
BankInfoSecurity	a year ago	Russian Hackers Probe Ukrainian Defense Sector With Backdoor
DARKReading	a year ago	Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine