Ukraine has been the target of persistent cyberattacks for years. It has faced a range of threat actors, including state-sponsored groups and financially motivated criminals. One of the most active and determined of these groups is Gamaredon. The group’s main focus is espionage, primarily related to Ukraine and its ongoing conflict with Russia. Recent reports have highlighted that Gamaredon has adopted a new tactic to spread its malware via USB drives.
Gamaredon’s Activities in Ukraine
Gamaredon has been active since at least mid-2013, and has focused on targeting individuals and entities in Ukraine. The group is also tracked under different names such as Armageddon, Primitive Bear, Shuckworm, and Trident Ursa. Most of these names are linked to Russia’s Federal Security Service (FSB), indicating that Gamaredon is likely operating on behalf of the FSB.
Attempts to steal sensitive information and gain long-term access have been ongoing
Gamaredon has demonstrated an impressive ability to infiltrate the networks of its targets and maintain long-term access. According to Symantec, the hacking group has obtained long-term access to victim networks, sometimes for as long as three months. During this time, Gamaredon repeatedly attempts to steal sensitive information related to the war between Ukraine and Russia, such as military secrets or diplomatic data.
New tactics are being used by Gamaredon
To remain effective and evade detection, Gamaredon has had to constantly adapt. On the technical side, the group has been using updated tools, fresh infrastructure, and new tactics. For example, in recent attacks, a new PowerShell script was used to spread the group’s custom backdoor, named Pterodo, via USB drives. These USB drives are likely used by the attackers for lateral movement across victim networks and to help them reach air-gapped machines within targeted organizations.
The use of USB drives for lateral movement
Symantec has identified multiple systems that appear to have been compromised after being infected through USB drives. This tactic is not new, but it indicates that Gamaredon is willing to use established methods to achieve its objectives. The USB drives are likely carrying a Trojan program that will execute as soon as they physically connect to the target machine.
Identifying compromised systems and the use of legitimate services
As well as identifying systems that have been compromised, Symantec has also spotted Gamaredon’s use of legitimate services, such as Telegram, for command-and-control (C&C) infrastructure. This technique allows the hackers to blend in with normal traffic and makes it harder for defenders to spot and block any suspicious activity.
The recent Gamaredon campaign
According to Symantec, the most recent Gamaredon campaign started in February-March 2021. The campaign focuses on systems containing sensitive military information. Indications in some organizations suggest that the attackers are targeting the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations is a priority for the attackers, among other things.
Targeting individuals and human resources departments
One of the worrying aspects of the latest Gamaredon campaign is that it appears to be targeting individuals as well as organizations. Human resources departments may have been targeted to allow the hackers to access details about the employees of the organizations. This information could then be used to launch further attacks on selected individuals within the target organization.
Gamaredon has been a persistent threat to Ukraine for several years, and the group continues to evolve its tactics. Its recent use of USB-propagated malware is a reminder that established threat actors may still choose to rely on relatively old techniques if they are still effective. The group’s ability to maintain long-term persistent access to compromised networks and adopt new tactics means that it remains a serious threat to Ukraine and other neighboring countries. Defenders need to remain vigilant and continually assess their security arrangements to ensure they have a chance to detect and block Gamaredon’s activities.