Network Security, Cloud Security, Threat Intelligence

BlueAlpha Russian hackers caught abusing CloudFlare services

Black Hat 2023

(Stock Photo, Getty Images)

A notorious Kremlin-backed hacking group is using a legitimate network service from CloudFlare to coordinate and carry out targeted attacks.

Researchers with InsiktGroup report that the threat actor known as BlueAlpha has been taking advantage of CloudFlare’s secure tunneling service in order to make its malware campaigns against individuals and organizations in the Ukraine more effective.

According to InsiktGroup, the BlueAlpha hackers adopted the use of the Tunnels service to conceal the various staging servers and connections it uses to link up infected machines with the malware command-and-control servers.

“BlueAlpha has leveraged Cloudflare Tunnels as part of its GammaDrop staging infrastructure, allowing it to effectively evade traditional network detection mechanisms and further complicate efforts to identify and block its activities,” the InsiktGroup team explained.

Designed to help customers connect their own servers to CloudFlare’s edge networks, CloudFlare Tunnels creates a secure encrypted connection between their own servers and CloudFlare services.

In this case, InsiktGroup said that BlueAlpha uses the Tunnels service in the later stage of its phishing malware attacks.

Once the user has been given the link to an attack site that downloads a malicious LNK file, they are directed to the Tunnels service which then provides a secured connection between the victim and the server hosting the malware payload itself.

This provides the BlueAlpha team with a secured connection in a critical portion of the attack chain, better allowing them to evade detection by security tools and network administrators.

The researchers noted that BlueAlpha is not the only group that has adopted this technique, and the use of Tunnels to conceal the attack chain has been an increasingly popular technique amongst threat actors lately.

BlueAlpha has gained particular notoriety for its efforts to target high-value individuals and organizations in Ukraine as part of the cyberthreat branch of Russia’s attempted invasion of Ukraine.

The group is said to be operating at the behest of the Russian FSB. InsiktGroup explained that BlueAlpha is an offshoot of a group called Centre 18, which is itself under direct control by the Kremlin’s intelligence authority.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

Intrusions targeting I-O Data router zero-days underway

Most severe of the vulnerabilities is the undocumented features inclusion issue, tracked as CVE-2024-52564, which could be exploited to facilitate remote firewall deactivation, device setting manipulation, and arbitrary OS command execution, according to Japan's Computer Emergency Response Team Coordination Center.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

ACK PiggybackingAccount HarvestingBackdoorDNS SpoofingDomainDomain Name System (DNS)Drive-by DownloadDumpster DivingGreynetPassword Cracking

You can skip this ad in 5 seconds