A series of cyberattacks on Ukrainian institutions over the past few weeks — including website defacement, computer-wiping malware and phishing campaigns — have the hallmarks of hacking activity associated with the Russian government, but conclusive attribution remains elusive.
Research published Thursday, however, shows how a known Russia-linked hacking group, Gamaredon, could be involved in active targeting of Ukrainian targets, including an attempt to compromise a Western government entity in Ukraine on Jan. 19.
The findings, published by Palo Alto Networks’ Unit 42 threat intelligence unit, focus on the group as the Russian military amasses more than 100,000 troops along its border with Ukraine. The U.S. and other NATO governments say it’s preparation for a dramatic military escalation.
Unit 42 makes clear that its research does not directly tie Gamaredon to the recent high-profile attacks. Microsoft’s Threat Intelligence Center (MSTIC), in its own analysis of the group published Friday, also said it has yet to find any connection between the recent hacks and Gamaredon. MSTIC had originally flagged the destructive malware used against some Ukrainian government systems on Jan. 15.
In its research published Thursday, Unit 42 says it mapped out three “large clusters” of Gamaredon infrastructure that are used to support phishing and malware delivery. The clusters broadly associate with downloaders, file stealers and a custom remote access tool called “Pteranodon,” which has been associated with Gamaredon for years.
The research offers insights into two recent phishing attempts. One, on Dec. 1, targeted the State Migration Service. The other, on Jan. 19, took an interesting approach to target the unnamed Western government organization: Rather than send a direct email to the target, the hackers used a job search and employment service in Ukraine to upload a malware-laced resume for an open job with the Western entity.
“Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization,” the researchers wrote.
Unit 42 researchers also observed what seems to be active development of malware, where a piece of code was uploaded to VirusTotal — an online platform for analyzing malicious files — multiple times within a matter of minutes, each time with slight iterations.
Activity attributed to Gamaredon — also known as Armageddon and Primitive Bear — dates back to 2013 or 2014, and the group is well-known to the Ukrainian government. The country’s Security Service published a detailed analysis of the advanced persistent threat group’s activities in November 2021, outing the group’s hackers by name along with Ukrainian “traitors who sided with the enemy.”
The government’s report blamed the group for more than 5,000 cyberattacks on Ukrainian state entities and critical infrastructure that attempted to “infect” more than 1,500 government computer systems.
Earlier this week Symantec’s Threat Hunter Team published an examination of a mid-2021 Gamaredon campaign that used infected Microsoft Word attachments for malware delivery. Microsoft’s analysis of Gamaredon published Friday — which it calls ACTINIUM — covers its activities over the last six months, including the fact that the group has been “operating out of Crimea with objectives consistent with cyber espionage.”
Since Oct. 21, MSTIC reports, “ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis.”
Use of internet domains
The Unit 42 analysis details the group’s unique approach to the infrastructure needed for domains. Instead of discarding domains after use, they’re instead kept and consistently rotated to be used in other campaigns.
One domain, for instance, was publicly associated with the group as far back as 2019, but is still in use and was associated with a cluster of domains registered as recently as Jan. 27. Unit 42 researchers identified nearly 700 domains that are a mix of URLs previously associated with Gamaredon and new ones.
The tactic ultimately helps the group obfuscate its activity, and also control the access to the malicious files hosted on its infrastructure. The URL pointing to malware within various payloads only active for finite periods, meaning attempts by researchers to find malware and analyze it are that much harder.
“As international tensions surrounding Ukraine remain unresolved, Gamaredon’s operations are likely to continue to focus on Russian interests in the region,” the researchers wrote. “While we have mapped out three large clusters of currently active Gamaredon infrastructure, we believe there is more that remains undiscovered.”