Latest news with #Gamaredon
Channel Post MEA
21-05-2025
- Channel Post MEA
ESET APT Report Unveils Intensified Russian Cyberattacks on Ukraine
ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries. Ukraine was subjected to the greatest intensity of cyberattacks against the country's critical infrastructure and governmental institutions. The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations. Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. 'The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,' says ESET Director of Threat Research Jean-Ian Boutin. Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039). In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups. Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company. Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment. 'The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,' adds Boutin. Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page. 0 0
WIRED
14-04-2025
- Politics
- WIRED
Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine
Apr 14, 2025 6:00 AM For the past decade, this group of FSB hackers—including 'traitor' Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders. ANIMATION: JAMES MARSHALL Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia's GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla group has hijacked satellite internet connections to steal victims' data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon. The hackers, believed to work in the service of Russia's FSB intelligence agency, aren't known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group. 'They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,' says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET. ESET has tracked Gamaredon as it's breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. 'Their operation is highly effective," says Robert Lipovsky, a malware researcher at ESEThe adds. "Volume is their big differentiator, and that's what makes them dangerous.' If Gamaredon doesn't behave like other Russian hacking groups, that's in part because some of them aren't Russian nationals—or weren't, technically, until 2014. According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began. 'They are officers of the 'Crimean' FSB and traitors who defected to the enemy,' reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like 'power plants, heat and water supply systems.' The group's initial access techniques, ESET's Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary. 'People sometimes don't realize how big a part 'persistence' plays in the phrase APT,' says John Hultquist, chief analyst for Google's Threat Intelligence Group. "They're just relentless. And that itself can be kind of a superpower.' In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon's hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having 'betrayed their oath' by voluntarily joining the FSB. For Gamaredon's former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. 'They should have given you a medal,' one team member says to another in the Russian-language conversation. 'Screwed one more time.' Given how mind-numbingly workaday their hacking campaigns are, it's no wonder they complained about their working conditions, says Google's Hultquist. "Drudgery is so core to their operations,' he says. "This group grinds out wins." As disgruntled as Gamaredon's hackers may be, defending against their constant barrage of spying attempts is at least as difficult and boring, say some of the defenders tasked with tracking them. The group writes its malware in relatively unsophisticated scripting languages like VBScript and Powershell rather than the C++ used by savvier hackers. But Gamaredon tweaks its humdrum code constantly, sometimes with automated changes to create endlessly differentiated versions designed to defy antivirus, according to ESET, whose anti-malware products are used widely across Ukraine. In some cases, the hackers infect the same machine with numerous malware specimens, and hit so many targets that ESET hasn't even been able to identify all of the group's victims, despite closely tracking Gamaredon's campaigns. 'It's exhausting work,' says Anton Cherepanov, an ESET malware researcher. 'People overdose and get burnt out.' Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers. A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility, though it usually confines itself to mere intelligence gathering on behalf of the Russian military effort. The same report notes that once Gamaredon infects a machine, it often starts stealing files in as little as 30 minutes. By the end of a week, if the machine remains infected, the hackers will have installed 80 to 120 variants of its malware on the computer. If defenders fail to delete even one, the hackers keep their foothold and can maintain access to that device. All of that means Gamaredon represents a challenge that's painfully dull for cybersecurity defenders, but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death. 'They're not interesting,' ESET malware researcher Zoltán Rusnák says. 'Just dangerous.'
