Russian Gamaredon APT is targeting Ukraine since October

February 7, 2022  By Pierluigi Paganini


Russia-linked APT group Gamaredon is behind spear-phishing attacks against Ukrainian entities and organizations since October 2021.

Russia-linked cyberespionage group Gamaredon (aka Armageddon, Primitive Bear, and ACTINIUM) is behind the spear-phishing attacks targeting Ukrainian entities and organizations related to Ukrainian affairs, since October 2021, Microsoft said.

This week, Palo Alto Networks’ Unit 42 reported that the Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity operating in Ukraine in January, while geopolitical tensions between Russia and Ukraine have escalated dramatically.

In Mid January the Ukrainian government was hit with destructive malware, tracked as WhisperGate, and several Ukrainian government websites were defaced by exploiting a separate vulnerability in OctoberCMS.

Palo Alto Network experts mapped out three large clusters of the infrastructure used by the nation-state APT group used to support different phishing and malware campaigns. These clusters link to over 700 malicious domains, 215 IP addresses, and over 100 samples of malware.

In November, Ukraine’s premier law enforcement and counterintelligence disclosed the real identities of five alleged members of the Russia-linked APT group Gamaredon (aka Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) that are suspected to be components of the Russian Federal Security Service (FSB).

According to the Security Service of Ukraine (SSU) Cyber Security Department, the group carried out over 5,000 cyberattacks against public authorities and critical infrastructure of Ukraine. 

The five individuals are Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych.

Ukrainian authorities revealed that the individuals are officers of the ‘Crimean’ FSB,’ for this reason they are considered traitors who defected to the enemy during the occupation of Crimea in 2014.

The Gamaredon group was first discovered by Symantec and TrendMicro in 2015, but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. In December 2019, the APT group targeted several Ukrainian diplomats, government and military officials, and law enforcement.

Security researchers at Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) revealed that Gamaredon’s operations are being coordinated out of Crimea.

“MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).” reads the post published by Microsoft. “Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis.”

Microsoft experts pointed out that Gamaredon was not involved in destructive malware attacks associated with the threat actor tracked as DEV-0586. 

Microsoft highlighted that ACTINIUM’s tactics are constantly evolving. The most common access vectors used by ACTINIUM is spear-phishing messages using weaponized documents that employ remote templates.

ACTINIUM gamaredon phishing

ACTINIUM also employed a variety of malware families, including DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch.

“MSTIC assesses that the primary outcome of activities by ACTINIUM is persistent access to networks of perceived value for the purpose of intelligence collection. Despite seemingly wide deployment of malicious capabilities in the region, follow-on activities by the group occur in areas of discrete interest, indicating a possible review of targeting.” concludes the post that also includes Indocators of Compromise (IoCs) for the attacks observed by the IT giant.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Israeli surveillance firm QuaDream emerges from the dark

 One of the Apple iOS zero-day flaws exploited by the NSO group was also used by another surveillance firm named QuaDream. One...