CERT-Ukraine reports Gamaredon’s recent tactics

The Russia-linked hacker group known as Gamaredon has been observed engaging in data theft activities shortly after gaining initial access to their targets.

Gamaredon, also referred to as Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is believed to be backed by the state and connected to the SBU Main Office in Crimea, which was annexed by Russia in 2014. They have targeted thousands of government computers with their attacks.

How do they initiate?

The primary method they use to gain entry is through emails and messages on popular platforms like Telegram, WhatsApp, and Signal, often taking advantage of previously compromised accounts. 

The Computer Emergency Response Team of Ukraine (CERT-UA) recently published an analysis of the group, shedding light on their tactics.

Since the start of the Russo-Ukrainian war in February 2022, Gamaredon, like many other Russian hacking groups, has been highly active. 

They use phishing campaigns to deliver PowerShell backdoors like GammaSteel, which allows them to gather intelligence and carry out further commands.

Source: Talos

• Their attack usually involves sending messages with an archive attachment, which, when opened, triggers the attack.

• According to CERT-UA, GammaSteel specifically seeks out files with extensions like .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb. It then proceeds to exfiltrate these files within 30 to 50 minutes.

• The group is continuously adapting its strategies, and they have now incorporated USB infection techniques for spreading their malware. A compromised system can end up with as many as 80 to 120 malicious files over a week.

What else do they do?

Another concerning aspect of their attacks is 

• using AnyDesk software to access the compromised systems remotely
• employ PowerShell scripts to hijack sessions and bypass two-factor authentication (2FA)

• rely on platforms like Telegram and Telegraph to fetch information from their command-and-control (C2) servers for communication
• take various measures to avoid detection to ensure their network infrastructure is fault-tolerant
• frequently change the IP addresses of intermediate control nodes during the day, sometimes up to 6 times or more, indicating a high level of automation in their processes.

What did we learn?

It is not only our data that is being leaked and mistreated. Threat initiators at the national level are the most significant threats. Thus, the time has come to evolve our digital space into the most secure place through combined effort. 

Security is essential for sustenance. Beware and be safe!