Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine

Russia-linked Gamaredon, a hacking group recognized for offering providers to different superior persistent risk (APT) actors, is likely one of the most intrusive, repeatedly lively APTs focusing on Ukraine, Palo Alto Networks’ Unit 42 warns.

Also often known as Armageddon, Primitive Bear, Shuckworm, and Trident Ursa, Gamaredon has been lively since at the least 2013, mainly focused on targets in Ukraine. The APT depends on phishing emails for malware distribution and supplies entry to compromised networks and intelligence to different risk actors.

Over the previous ten months, Gamaredon was seen targeting a large petroleum refining company, in addition to altering its ways, methods, and procedures (TTPs) a number of occasions.

Traditionally, the hacking group was seen utilizing phishing lures in the Ukrainian language, but it surely additionally employed English language lures in some circumstances, more likely to enhance community entry and intelligence assortment towards each Ukraine and NATO members, Unit 42 notes.

At the tip of August, the risk actor unsuccessfully tried to compromise “a big petroleum refining firm inside a NATO member nation” utilizing English language lures.

Unit 42’s safety researchers additionally found that, on February 24, the identical day that Russia invaded Ukraine, a person named Anton, who seems to have ties to Gamaredon, threatened a gaggle of cybersecurity researchers who revealed tweets highlighting the group’s indicators of compromise (IoCs).

Over the following few days, Anton used a number of accounts to publish threatening tweets that featured the Gamaredon hashtag, together with one containing the total title and tackle of Mikhail Kasimov, a researcher working from throughout the warfare zone.

Over the previous six months, the group was noticed utilizing varied DNS-related methods to extend the resilience of their operations, similar to using “authentic providers to question IP assignments for malicious domains”, successfully bypassing DNS and DNS logging, Unit 42 says.

The APT was additionally seen utilizing Telegram messenger content material to establish the most recent IP used for command-and-control (C&C), flooding the quick flux DNS tables of its root domains with ‘junk’ IPs and utilizing subdomains, and counting on digital non-public server (VPS) suppliers in an autonomous system (AS) for operational infrastructure outdoors Russia.

Gamaredon continues to depend on .html information and Word paperwork for malware supply and has been noticed utilizing two completely different droppers over the previous three months, particularly a 7-Zip self-extracting (SFX) archive and a loader that depends on wscript to execute two dropped information.

Despite having its operations publicly detailed a number of occasions, Gamaredon continues to make use of the identical easy methods, primarily counting on heavy obfuscation and publicly out there instruments, and even reuses code in new assaults, typically registering success in its operations and remaining a significant cyberthreat to Ukraine, Unit 42 concludes.

Related: More Russian Attacks Against Ukraine Come to Light

Related: Highly Active ‘Gamaredon’ Group Provides Services to Other APTs

Related: Ukraine Names Russian FSB Officers Involved in Gamaredon Cyberattacks

Ionut Arghire is a global correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Related Posts