Russian state-backed advanced persistent threat operation Turla — also known as Secret Blizzard, Snake, Waterbug, and Venomous Bear — has been discovered to be using other cybercrime groups' tools and infrastructure to target Ukrainian military personnel just after it was identified to have leveraged a Pakistani threat group's payloads to compromise South Asian organizations, Ars Technica reports.
After tapping Russian threat operation Storm-1837's backdoor to facilitate Tavdig loader compromise in January, Turla proceeded to leverage Storm-1919's Amadey botnet to distribute the XMRig cryptominer between March and April, according to an analysis from the Microsoft Threat Intelligence team. Turla "has been using footholds from third parties—either by surreptitiously stealing or purchasing access—as a specific and deliberate method to establish footholds of espionage value. Nevertheless, Microsoft assesses that while this approach has some benefits that could lead more threat adversaries to use it, it is of less use against hardened networks, where good endpoint and network defenses enable the detection of activities of multiple threat adversaries for remediation," said the report.
