Russia-Linked Group Gamaredon Targets Ukraine with USB-Propagated Malware

Ukraine has been the target of persistent cyberattacks for years. It has faced a range of threat actors, including state-sponsored groups and financially motivated criminals. One of the most active and determined of these groups is Gamaredon. The group’s main focus is espionage, primarily related to Ukraine and its ongoing conflict with Russia. Recent reports have highlighted that Gamaredon has adopted a new tactic to spread its malware via USB drives.

Gamaredon’s Activities in Ukraine

Gamaredon has been active since at least mid-2013, and has focused on targeting individuals and entities in Ukraine. The group is also tracked under different names such as Armageddon, Primitive Bear, Shuckworm, and Trident Ursa. Most of these names are linked to Russia’s Federal Security Service (FSB), indicating that Gamaredon is likely operating on behalf of the FSB.

Attempts to steal sensitive information and gain long-term access have been ongoing

Gamaredon has demonstrated an impressive ability to infiltrate the networks of its targets and maintain long-term access. According to Symantec, the hacking group has obtained long-term access to victim networks, sometimes for as long as three months. During this time, Gamaredon repeatedly attempts to steal sensitive information related to the war between Ukraine and Russia, such as military secrets or diplomatic data.

New tactics are being used by Gamaredon

To remain effective and evade detection, Gamaredon has had to constantly adapt. On the technical side, the group has been using updated tools, fresh infrastructure, and new tactics. For example, in recent attacks, a new PowerShell script was used to spread the group’s custom backdoor, named Pterodo, via USB drives. These USB drives are likely used by the attackers for lateral movement across victim networks and to help them reach air-gapped machines within targeted organizations.

The use of USB drives for lateral movement

Symantec has identified multiple systems that appear to have been compromised after being infected through USB drives. This tactic is not new, but it indicates that Gamaredon is willing to use established methods to achieve its objectives. The USB drives are likely carrying a Trojan program that will execute as soon as they physically connect to the target machine.

Identifying compromised systems and the use of legitimate services

As well as identifying systems that have been compromised, Symantec has also spotted Gamaredon’s use of legitimate services, such as Telegram, for command-and-control (C&C) infrastructure. This technique allows the hackers to blend in with normal traffic and makes it harder for defenders to spot and block any suspicious activity.

The recent Gamaredon campaign

According to Symantec, the most recent Gamaredon campaign started in February-March 2021. The campaign focuses on systems containing sensitive military information. Indications in some organizations suggest that the attackers are targeting the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations is a priority for the attackers, among other things.

Targeting individuals and human resources departments

One of the worrying aspects of the latest Gamaredon campaign is that it appears to be targeting individuals as well as organizations. Human resources departments may have been targeted to allow the hackers to access details about the employees of the organizations. This information could then be used to launch further attacks on selected individuals within the target organization.

Gamaredon has been a persistent threat to Ukraine for several years, and the group continues to evolve its tactics. Its recent use of USB-propagated malware is a reminder that established threat actors may still choose to rely on relatively old techniques if they are still effective. The group’s ability to maintain long-term persistent access to compromised networks and adopt new tactics means that it remains a serious threat to Ukraine and other neighboring countries. Defenders need to remain vigilant and continually assess their security arrangements to ensure they have a chance to detect and block Gamaredon’s activities.

Explore more

Apple iPhone 18 Leak Reveals RAM Upgrades for Advanced AI

Dominic Jainy brings a wealth of knowledge to the table regarding the hardware-software symbiosis required for modern artificial intelligence. As an IT professional deeply embedded in the evolution of silicon architecture and machine learning, he offers a unique perspective on why seemingly incremental hardware shifts often dictate the entire user experience. This discussion explores the technical nuances of Apple’s transition

Why Are Investors Choosing Pepeto Over Stagnant Ethereum?

The global cryptocurrency landscape is currently undergoing a fundamental reorganization as capital increasingly migrates from established legacy protocols toward nimble, utility-driven newcomers that offer significant growth potential. For years, Ethereum remained the undisputed leader in smart contract functionality, yet its recent price stagnation has left many market participants searching for more dynamic opportunities. This transition is not merely a product

AI Becomes the Core Infrastructure of Global Banking

The global financial sector has officially moved past the phase of speculative experimentation, cementing artificial intelligence as the definitive architectural foundation upon which all modern banking services now operate. This structural metamorphosis represents a pivot from peripheral innovation toward a state of full-scale operational maturity, where algorithms are no longer viewed as external additions but as the very core of

Will the Vivo X500 Series Set New Flagship Standards?

The swift evolution of mobile technology often leaves consumers wondering if the next major release will truly redefine the experience or simply polish existing features. Currently, the industry looks toward the X500 series as a potential catalyst for change. The pace of innovation has accelerated to a point where a yearly cycle no longer satisfies the hunger for cutting-edge hardware

AI and Supply Chain Risks Reshape the Cyber Threat Landscape

The speed at which a software vulnerability transforms from a quiet discovery into a weaponized global threat has reached a breaking point, redefining the very concept of digital defense. This phenomenon, frequently described as the compression of time, characterizes a modern landscape where the gap between the identification of a flaw and its active exploitation by malicious actors has essentially