A hacking group known as Gamaredon, believed to have links to Russia and possibly operating under the Russian Federal Security Service (FSB), has been observed utilizing USB-spreading malware to move laterally within compromised Ukrainian networks, according to Symantec.
Key Takeaways:
- Russian hacking group Gamaredon, believed to be operating on behalf of the Russian Federal Security Service (FSB), has been infecting USB drives to move laterally within compromised Ukrainian networks.
- Gamaredon primarily targets government officials, journalists, military personnel, and NGOs, but has also attacked a petroleum refining company.
- The recent attacks by Gamaredon focused on Ukrainian government organizations, military personnel, and security services in support of Russia’s invasion of Ukraine.
Gamaredon, also tracked as Armageddon, Primitive Bear, Shuckworm, and Trident Ursa, has been active since around mid-2013 and primarily targets individuals and entities in Ukraine. The group is notorious for conducting phishing email campaigns to deliver malware and providing access to compromised networks to other threat actors.
Targeting the Ukrainian Government and Military
Gamaredon has a history of targeting government officials, journalists, military personnel, and NGOs in Ukraine. However, recent attacks indicate a specific focus on Ukrainian government organizations, military personnel, and security services, as part of their support for Russia’s invasion of Ukraine, as reported by Symantec.
USB-Spreading Malware for Lateral Movement
To evade detection, Gamaredon has adopted new tactics, including the use of updated tools, fresh infrastructure, and malware propagation through USB drives. The group has developed a PowerShell script that spreads their custom backdoor named Pterodo via USB drives. The script copies itself to infected machines, enumerates all drives, and replicates itself on removable drives.
Potential Air-Gapped Network Access
The USB drives used by the hackers are likely intended for lateral movement within victim networks and may be utilized to reach air-gapped machines within targeted organizations. Symantec has identified multiple compromised systems that were infected after being connected to infected USB drives.
Utilization of Legitimate Services and Campaign Duration
Gamaredon’s recent attacks have shown the use of legitimate services, such as Telegram, for their command-and-control (C&C) infrastructure. While the infrastructure is short-lived to avoid detection, commonalities in observed SSL certificates can assist in tracking. The campaign, focused on systems containing sensitive military information, started around February-March 2023 and, in some cases, granted the attackers access to compromised networks for several months.
Conclusion:
The Gamaredon hacking group, suspected to be operating under the Russian Federal Security Service (FSB), has intensified its attacks on Ukrainian government organizations, military personnel, and security services.
By utilizing USB-spreading malware and employing new tactics, including the use of legitimate services and targeting air-gapped machines, the group aims to achieve persistent access and steal sensitive information. The ongoing nature of these attacks underscores the importance of robust cybersecurity measures to safeguard critical systems and networks.
