Russians hit again: Shuckworm espionage group targeting Ukraine

The Russian threat group known as Shuckworm has been actively carrying out cyber attacks on Ukrainian organizations to steal sensitive information. 

According to a recent report from Symantec, their targets have included security services, military institutions, and government entities. These cyber intrusions commenced between February and March of 2023 and have persisted for several months in certain instances.

#Shuckworm – Inside #Russia’s Relentless Cyber Campaign Against #Ukraine – recent targets include security services, #military, & government orgs. Read more: https://t.co/drUt5G5mK3 pic.twitter.com/bCXKX4fEo2

— Threat Intelligence (@threatintel) June 15, 2023

Who is Shuckworm?

Shuckworm, also recognised under various aliases such as Aqua Blizzard, Armageddon, Gamaredon, and UNC530, is believed to have ties to Russia’s Federal Security Service (FSB). This group has been operational since at least 2013. Their primary tactics revolve around spear-phishing campaigns, where they:

• Send carefully crafted emails to victims, luring them into opening malicious attachments
• These attachments deploy information-stealing malware like Giddome, Pterodo, GammaLoad, and GammaSteel onto the compromised systems.

#UNIAN agency revealed new modifications of #Pterodo #malware which was likely targeting a massive #cyberattack on #Ukraine ´s agencies. https://t.co/gDgbxb8Oib

— Aydin Aslaner (@AydinMSFT) November 21, 2018

Secureworks, a cybersecurity company, characterizes Shuckworm as “operating quickly, prioritizing speed over operational security. This approach has made their infrastructure easily identifiable due to their consistent use of specific Dynamic DNS providers, Russian hosting services, and remote template injection techniques.”

Tactics it follows

In their recent attacks, Shuckworm has been observed 

• Utilizing a fresh PowerShell script to propagate the Pterodo backdoor through USB drives. 
• While it is known that the group employs Telegram channels to retrieve IP addresses of servers hosting their malicious payloads.
• They have expanded their techniques by storing command-and-control (C2) addresses on Telegraph, a blogging platform owned by Telegram. Another tool employed by these hackers is a PowerShell script named “foto.safe,” which is distributed through compromised USB drivers and has the capability to download additional malware onto the infected machines.

Source: Symantec

• Further analysis of these intrusions has revealed that Shuckworm successfully breached the systems of human resources departments within the targeted organizations. This suggests their objective is to gather information about the individuals these entities employ.

These findings illustrate the Shuckworm’s continued reliance on ephemeral infrastructure and their ongoing adaptation of tactics and tools to evade detection. 

Thoughts in hand

Russia’s nation-based attacks are a clear indicator that they are targeting Ukraine as a whole. Targeting high-profile areas in any country makes it clear that the purpose is to know the secrets of survival. Whatever the motives are! War must end and should never happen again.