Microsoft announced this week that the Russian hacking group “Gamaredon” has been targeting Ukrainian organizations with a spear-phishing email streak since October of 2021.
It’s believed that the group has been operating with the help of the Russian Federal Security Service (FSB) beyond that date in the past, going even further to Ukraine’s 2013 attacks.
But what exactly is known to this day?
What Is Gamaredon and How Do They Work?
The hacking group is also known as Armageddon, Primitive Bear, Shuckworm, and ACTINIUM. And according to Ukraine’s security and secret services (SSU & SSBU), it’s linked to Russia’s FSB: Federal Security Service.
Security and threat researchers from both the Microsoft Threat Intelligence Center and the Microsoft Digital Security Unit (MSTIC & DSU) have also raised their voices to claim Gamaredon’s campaign is about cyber-espionage and is being coordinated out of Crimea.
The clues point out to confirm that Gamaredon hackers are backed up by Crimean FSBs, who supported Russia during the 2014 occupation. On the other hand, it’s also said that those behind Gamaredon aren’t responsible for last month’s data-wiping cyberattacks of which multiple Ukraine government and corporate entities were targeted.
Microsoft Cybersecurity Intel added –
“MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations.
Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis.”
January 2022 SSU Cyberattack Blockage
This statement comes a time after Palo Alto Networks’ Unit 42 issued a report about the group’s recent activity targeting Ukraine. They said this was “an attempt to compromise a Western government entity in Ukraine on Jan. 19, 2022” via a spear-phishing attack pushing a malware downloader.
Symantec’s Threat Hunter team described the same tactics after seeing Gamaredon distributing macro-laced Word documents in spear-phishing attacks starting in July of 2021.
Unit 42 said:
“In this attempt, rather than emailing the downloader directly to their target, the actors instead leveraged a job search and employment service within Ukraine.
Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization.”
The reports confirmed the advisory announced by the Ukrainian Computer Emergency Response Team who previously warned of attacks against Ukrainian authorities, one day prior to the SSU statement of a blockage of 120 brute-force and malware cyberattacks targeting the Ukrainian state institution’s systems.
“MSTIC assesses that the primary outcome of activities by ACTINIUM is persistent access to networks of perceived value for the purpose of intelligence collection,” Microsoft also said today.
Despite the seemingly wide deployment of malicious capabilities in the region, follow-on activities by the group occur in areas of discrete interest, indicating a possible review of targeting.”