Russian Gamaredon APT is targeting Ukraine since October

Pierluigi Paganini February 07, 2022

Russia-linked APT group Gamaredon is behind spear-phishing attacks against Ukrainian entities and organizations since October 2021.

Russia-linked cyberespionage group Gamaredon (aka Armageddon, Primitive Bear, and ACTINIUM) is behind the spear-phishing attacks targeting Ukrainian entities and organizations related to Ukrainian affairs, since October 2021, Microsoft said.

This week, Palo Alto Networks’ Unit 42 reported that the Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity operating in Ukraine in January, while geopolitical tensions between Russia and Ukraine have escalated dramatically.

In Mid January the Ukrainian government was hit with destructive malware, tracked as WhisperGate, and several Ukrainian government websites were defaced by exploiting a separate vulnerability in OctoberCMS.

Palo Alto Network experts mapped out three large clusters of the infrastructure used by the nation-state APT group used to support different phishing and malware campaigns. These clusters link to over 700 malicious domains, 215 IP addresses, and over 100 samples of malware.

In November, Ukraine’s premier law enforcement and counterintelligence disclosed the real identities of five alleged members of the Russia-linked APT group Gamaredon (aka Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) that are suspected to be components of the Russian Federal Security Service (FSB).

According to the Security Service of Ukraine (SSU) Cyber Security Department, the group carried out over 5,000 cyberattacks against public authorities and critical infrastructure of Ukraine. 

The five individuals are Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych.

Ukrainian authorities revealed that the individuals are officers of the ‘Crimean’ FSB,’ for this reason they are considered traitors who defected to the enemy during the occupation of Crimea in 2014.

The Gamaredon group was first discovered by Symantec and TrendMicro in 2015, but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. In December 2019, the APT group targeted several Ukrainian diplomats, government and military officials, and law enforcement.

Security researchers at Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) revealed that Gamaredon’s operations are being coordinated out of Crimea.

“MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).” reads the post published by Microsoft. “Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis.”

Microsoft experts pointed out that Gamaredon was not involved in destructive malware attacks associated with the threat actor tracked as DEV-0586. 

Microsoft highlighted that ACTINIUM’s tactics are constantly evolving. The most common access vectors used by ACTINIUM is spear-phishing messages using weaponized documents that employ remote templates.

ACTINIUM gamaredon phishing

ACTINIUM also employed a variety of malware families, including DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch.

“MSTIC assesses that the primary outcome of activities by ACTINIUM is persistent access to networks of perceived value for the purpose of intelligence collection. Despite seemingly wide deployment of malicious capabilities in the region, follow-on activities by the group occur in areas of discrete interest, indicating a possible review of targeting.” concludes the post that also includes Indocators of Compromise (IoCs) for the attacks observed by the IT giant.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment