Experts of the Governmental Computer Emergency Response Team of Ukraine CERT-UA, which operates under the State Special Communications Service of Ukraine, analyzed the current tactics, techniques and procedures used by hackers of one of the most active and dangerous Russian hacker groups – UAC-0010 (Armageddon / Gamaredon).
The group consists of former SBU “officers” in the Autonomous Republic of Crimea who betrayed their homeland in 2014 and began serving the Russian FSB.
The main task of the group is cyber espionage against the security and defense forces of Ukraine. There is also information about at least one case of destructive activity at an information infrastructure facility.
According to CERT-UA, the number of simultaneously infected computers, which mainly operate within the information and communication systems of government agencies, can reach several thousand.
How they attack
- As a vector of primary compromise, hackers mostly use emails and messages in messengers (Telegram, WhatsApp, Signal), which are sent through previously compromised accounts. The most common method is to send the victim an archive containing an HTM or HTA file, which, when opened, initiates the infection chain.
- To spread the malware, it is possible to infect removable storage media, legitimate files (including shortcuts), as well as modify Microsoft Office Word templates, which ensures infection of all documents created on a computer by adding a corresponding macro.
- After the initial infection, the attackers can steal files with the extensions .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, .mdb within 30-50 minutes – mostly using GAMMASTEEL malware.
- A computer operating in the affected state for about a week may contain from 80 to 120 or more malicious (infected) files, not including those files created on removable storage media that will be connected to a computer during this period.
Special attention
CERT-UA experts also warn the military personnel of the Armed Forces of Ukraine: if your computer does not have EDR class protection (not “antivirus”), immediately contact the ITS Cyber Security Center (military unit A0334; email: csoc@post.mil.gov.ua) to install the appropriate software.
Computers located outside the protection perimeter, in particular those that use Stralink terminals to access the Internet, are at increased risk.
The absence of the aforementioned security technology increases the likelihood of cyberattacks on both a single computer and the entire information and communication system (network) of the unit.
In case of detection of the fact of defeat according to the indicators provided by CERT-UA, immediately notify the ITS Cybersecurity Center.
