- ESET analysts have discovered another series of cyberattacks from the cyber-espionage group Gamaredon, primarily targeting Ukrainian government and military institutions.
- Over the year (November 2022 to December 2023), the group carried out attacks on over 1,000 unique devices in Ukraine. The primary targets were email inboxes, messengers, and institution platforms.
- Among the countries attacked was also Poland.
Attacks targeted at Ukraine and NATO
ESET analysts have discovered the activities of the Russian-affiliated cyber-espionage group Gamaredon, which according to the Ukrainian Security Service, is tied to the Russian FSB. Gamaredon has been operating since 2013 and is classified as an Advanced Persistent Threat (APT) group – a coordinated entity carrying out sophisticated cyberattacks.
“APT groups often have government backing, and their aim is to destabilize infrastructure, weaken enemy strategic points, or steal data. The functioning is institutional, often dogged, requires significant resources, time, specialized knowledge, and is strongly focused on results. This distinguishes APT group members from standard cybercriminals,” explains Kamil Sadkowski, antivirus laboratory analyst of ESET.
From November 1, 2022, to December 31, 2023, the Gamaredon group attacked more than a thousand unique devices in Ukraine. The cyber spies’ activities were not limited to Ukraine. In April 2022, and February 2023, attack attempts were also recorded on other Central and Eastern European countries belonging to NATO: Bulgaria, Latvia, Lithuania, and Poland – fortunately, as experts emphasize, they were unsuccessful.
How do cyberspies operate?
The criminals from the Gamaredon group attack using what is known as spear-phishing – actions targeted at carefully selected individuals who usually hold high positions in institutions and thus have access to important, particularly sensitive data. The cyber spies infect documents (e.g., Word) and USB drives with malicious software. They assume that over time, the malware will be passed on to other institution employees. In 2023, the Gamaredon group significantly expanded its skills, developing several new tools using the PowerShell language.
The main goal of the group’s activities is to obtain valuable data from email, browser-running applications, and messengers, particularly popular in Eastern Europe, Signal and Telegram.
Some of the malicious software was also supposed to enable the theft of data related to the Ukrainian military system and the email used by the Ukrainian government institution.
The Gamaredon group uses a technique known as fast flux DNS, involving frequent changes to the IP address of command and control (C&C) servers. Furthermore, the group frequently registers and updates many new domains. All of this is to hinder competent services in determining locations and blocking the group’s activities.
“Gamaredon members do not strive to stay hidden for as long as possible; they do not use modern techniques for this purpose, one could even say they like making noise. This strongly differentiates them from other APT groups, which usually strive to remain unnoticed for as long as possible. Gamaredon puts a lot of effort into making sure their actions are not thwarted, but not by acting in secret. At the same time, they put a lot of effort into avoiding precise tracking, which would lead to their actions being blocked by other entities or software,” explains Zoltán Rusnák, an ESET analyst who discovered and analyzed the described activities of the Gamaredon group.
Cyber attacks as a warfare element
As ESET representatives emphasize, it is not the sophisticated and creative methods, but the persistence in action that is the most dangerous in the case of cybercriminals belonging to Gamaredon.
“The group’s members will do everything possible to maintain access to the documents or drives that they once gained. In doing so, they increase and repeatedly repeat their actions. We expect the group will continue to focus on attacks on Ukraine,” they added.
Spear-phishing attacks are just a part of the cyber-espionage and cybercriminal activities targeting Ukraine. For example, in mid-December 2023, the largest Ukrainian telecommunications company Kyivstar fell victim to a cyberattack, as a result of which about 24.3 million subscribers lost access to telephone and internet services, and stores throughout Ukraine were unable to process card payments.
In mid-February 2022, the banking infrastructure underwent massive DDoS attacks, due to which the websites of the two largest Ukrainian banks stopped working. Also, in January and February 2022, a conventional attack from Russia was preceded by cyber attacks on government websites and other institutions. CERT-UA estimates that in 2023 alone, there were over 2,000 attempted cyberattacks on Ukraine.
Zoltán Rusnák emphasizes that in the coming months, we can expect further attacks from the Gamaredon group on Ukrainian institutions. Therefore, all allied countries should keep a close eye on the situation and maintain the highest standards of cybersecurity in their key institutions.
Source: https://managerplus.pl/cyberszpiedzy-nie-odpuszczaja-ukrainie-i-jej-sojusznikom-z-nato-42855
