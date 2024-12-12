Russian state-backed hackers compromised Ukrainian military devices by identifying and targeting IP addresses associated with Elon Musk-owned SpaceX‘s Starlink internet connections, according to a Microsoft Threat Intelligence report released Wednesday.

What Happened: The hacking group, known as Secret Blizzard and linked to Russia’s Federal Security Service, deployed malware to specifically selected target devices between March and April after identifying Ukrainian military units through their Starlink IP address signatures.

Secret Blizzard aims to secure long-term access to systems for intelligence gathering, often targeting advanced research and politically sensitive information, utilizing extensive resources like multiple backdoors.

“The threat actor selectively deployed tools to devices of further interest—for example, devices egressing from STARLINK IP addresses, a common signature of Ukrainian front-line military devices,” Microsoft’s report stated.

Microsoft researchers observed Secret Blizzard using malware called Amadey bot to gain initial access, followed by deploying sophisticated backdoors named Tavdig and KazuarV2 to maintain long-term surveillance capabilities.

Why It Matters: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously attributed Secret Blizzard to Center 16 of Russia’s FSB. The group primarily targets ministries of foreign affairs, embassies, government offices, and defense-related organizations worldwide.

Microsoft said it has directly notified affected customers and provided recommendations for strengthening network defenses against such attacks.

The company emphasized that while this approach of compromising existing access points is concerning, properly configured security measures can effectively detect and block these threats.

