Russia-linked Gamaredon APT targeted a western government entity in Ukraine

The Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity in Ukraine.

Palo Alto Networks’ Unit 42 reported that the Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity operating in Ukraine in January, while geopolitical tensions between Russia and Ukraine have escalated dramatically.

In Mid January the Ukrainian government was hit with destructive malware, tracked as WhisperGate, and several Ukrainian government websites were defaced by exploiting a separate vulnerability in OctoberCMS.

Palo Alto Network experts mapped out three large clusters of the infrastructure used by the nation-state APT group used to support different phishing and malware campaigns. These clusters link to over 700 malicious domains, 215 IP addresses, and over 100 samples of malware.

“Monitoring these clusters, we observed an attempt to compromise a Western government entity in Ukraine on Jan. 19, 2022. We have also identified potential malware testing activity and reuse of historical techniques involving open-source virtual network computing (VNC) software.” reads the report published by Palo Alto Networks. “Thorough pivoting through all of the domains and IP addresses results in the identification of almost 700 domains. These are domains that are already publicly attributed to Gamaredon due to use in previous cyber campaigns, mixed with new domains that have not yet been used. Drawing a delineation between the two then becomes an exercise in tracking the most recent infrastructure.”

Unlike most threat actors that discard domains after their use in a cyber attack, Gamaredon recycles their domains by consistently rotating them across new infrastructure.

The phishing attack leveraged a job search and employment platform in Ukraine where attackers uploaded their malware downloader in the form of a resume for an active job listing related to the targeted organization.

The investigation into the activity of the Gamaredon APT revealed also that the cyberspies carried out a campaign against the State Migration Service of Ukraine in early December.

The state-sponsored hackers used weaponized Word docs (called “Report on the LCA for June 2021(Autosaved).doc.”) as a lure to deliver the open-source UltraVNC virtual network computing (VNC) software for maintaining remote access to infected computers.

One of the clusters analyzed by the experts was used as C2 infrastructure for a custom remote administration tool called  Pterodo/Pteranodon backdoor. This backdoor was continuously updated for years, with threat actors focusing the development on anti-detection functions. The malware allows the attackers to download and execute files, capture screenshots and execute arbitrary commands on compromised systems.

Over the last three months, Palo Alto researchers have identified 33 samples of Pteranodon.

In November, Ukraine’s premier law enforcement and counterintelligence disclosed the real identities of five alleged members of the Russia-linked APT group Gamaredon (aka Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) that are suspected to be components of the Russian Federal Security Service (FSB).

According to the Security Service of Ukraine (SSU) Cyber Security Department, the group carried out over 5,000 cyberattacks against public authorities and critical infrastructure of Ukraine. 

The five individuals are Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy during the occupation of the peninsula in 2014. The SSU has managed to identify the perpetrators’ names, intercept their communication and obtain irrefutable evidence of their involvement in the attacks. All of that, despite the fact that they used the FSB’s own malicious software and tools to remain anonymous and hidden online. 5 members of the group have been notified of suspicion of treason.” reads the announcement published by the SSU.

“The ARMAGEDON hacker group is an FSB special project, which specifically targeted Ukraine. This ‘line of work’ is coordinated by the FSB’s 18th Center (Information Security Center) based in Moscow.”

Ukrainian authorities revealed that the individuals are officers of the ‘Crimean’ FSB,’ for this reason they are considered traitors who defected to the enemy during the occupation of Crimea in 2014.

The Gamaredon group was first discovered by Symantec and TrendMicro in 2015, but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. In December 2019, the APT group targeted several Ukrainian diplomats, government and military officials, and law enforcement.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon APT)

[adrotate banner=”5″]

[adrotate banner=”13″]