Gamaredon cyber spies attack Ukraine and NATO countries

0
84
Gamaredon cyber spies attack Ukraine and NATO countries

ESET has prepared an overview of the activities of the Gamaredon APT group (also known as UAC-0010 and Armageddon), a Russian-linked group that has been operating since at least 2013 and is currently most active in Ukraine. Most of the cybercriminals’ attacks targeted Ukrainian government agencies, but in 2022-2023, ESET recorded attempts to attack targets in several NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland.

In particular, the new PteroBleed threat focused on stealing valuable data related to the Ukrainian military system, as well as from webmail used by a government agency in Ukraine. In addition, the cybercriminal group has developed new tools aimed at stealing data from Signal and Telegram messengers, email services, and web applications in the browser.

It is worth noting that the Gamaredon group is attributed to the Russian 18th FSB Information Security Center, which operates in the occupied Crimea. ESET researchers believe that these cybercriminals also cooperate with another group, InvisiMole.

Семиденне ковзне середнє унікальних машин, атакованих в Україні
Figure 1. Seven-day moving average of unique machines attacked in Ukraine

What are the most common attack methods used by cybercriminals?

The Gamaredon group uses constantly evolving code obfuscation techniques and methods to bypass domain-based blocking. In this way, the attackers impede tracking as they make it difficult for automatic detection and blocking of their tools. Nevertheless, during the investigation, ESET researchers were able to identify these tactics and track Gamaredon’s activities.

The cybercriminals deployed their malicious tools to attack targets in Ukraine long before the full-scale Russian invasion in 2022. Gamaredon distributes phishing emails to infect new victims. The cybercriminals then use malware to modify existing Word documents or create new files on connected USB drives and wait for them to spread from the first victim to other potential victims.

“Gamaredon, unlike most APT groups, does not try to avoid detection as long as possible by using new methods for cyber espionage, and probably does not even mind being detected during their activities. Despite the fact that it is not so important for them to go undetected, they still put a lot of effort into avoiding being blocked by security solutions and trying to maintain access to compromised systems,” explains Zoltan Rusnak, ESET researcher.

Графік появи нових інструментів в арсеналі Гамаредона
Fig. 2. Schedule of new tools in the Gamaredon arsenal

Compliance with cybersecurity rules

“Typically, Gamaredon tries to maintain access by deploying multiple simple downloaders or backdoors at the same time. The lack of sophistication of Gamaredon’s tools is compensated for by frequent updates and the use of code obfuscation techniques that change regularly,” adds the ESET researcher. “Despite the relative simplicity of the tools, the aggressive approach and ability to remain undetected make the Gamaredon group a significant threat. With the ongoing war, Gamaredon will continue to focus on attacking targets in Ukraine.”

Read more about the activities of the Gamaredon APT group in the full ESET report.

Due to the danger of cyberattacks, ESET experts recommend following basic cybersecurity rules, including not opening unknown emails and documents, using complex passwords and two-factor authentication, keeping software up to date, and ensuring reliable protection of home devices and corporate networks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here