The IT security company ESET has conducted a comprehensive analysis of the activities of the Russian hacker group Gamaredon, which currently represents the greatest threat to Ukraine in cyberspace.
In the course of the research it was also discovered that NATO countries such as Bulgaria, Latvia, Lithuania and Poland were attacked – albeit unsuccessfully. According to ESET experts, Garmaredon also works with the APT group InvisiMole, which is primarily known for targeted attacks on high-level organizations in Eastern Europe.
Gamaredon has been active since 2013 and is assigned by the Ukrainian security service to the Russian secret service FSB. The hackers carry out targeted cyberattacks mainly against Ukrainian government institutions. In 2023, the group has significantly improved its capabilities and developed new data espionage tools. These tools focus on stealing sensitive information from email programs, messaging apps like Signal and Telegram, and web browsers.
Gamaredon’s approach
The Gamaredon hacker group mainly uses two methods to trick its victims and break into their systems:
Spear Phishing Campaign: Gamaredon carries out targeted phishing attacks where they send tailored emails to selected people or organizations. These emails often contain information that looks deceptively real and is intended to gain the recipient’s trust. The goal is to trick the recipient into clicking on a malicious link or opening an infected attachment.
Infected documents and USB drives: After first accessing a system, Gamaredon uses custom malware to “weaponize” Word documents and USB drives. These infected files and devices are then often unknowingly distributed by the original victims to additional potential targets. This allows the infection to spread throughout networks and organizations.
These tactics are particularly effective because they capitalize on human vulnerabilities such as trust and routine. Victims are often deceived into believing they are opening legitimate documents or using secure USB drives. The group specifically exploits the knowledge about its victims in order to make the attacks as convincing as possible.
Also active against NATO states with new tools
Of particular concern is the discovery of the “PteroBleed” malware, which specifically targets Ukrainian military systems and the webmail service of a Ukrainian government agency. ESET researchers also observed isolated attack attempts on targets in NATO countries such as Bulgaria, Latvia, Lithuania and Poland, although no successful intrusions have been identified so far.
In contrast to many other hacker groups, Gamaredon acts conspicuously and ruthlessly. The group frequently updates and obfuscates its tools, quickly switching between server addresses and domains, while simultaneously deploying multiple simple malware to maintain access. Despite the relative simplicity of its individual tools, this aggressive approach makes Gamaredon a significant threat.
Hoes with an open visor
ESET researcher Zoltán Rusnák explains: “Gamaredon does not try to remain undetected. The lack of sophistication of Gamaredon tools is compensated for by frequent updates and changing obfuscation techniques to evade security measures. The group uses several simple downloaders or backdoors at the same time to to secure access to compromised systems.”
Given the ongoing conflict in the region, ESET expects Gamaredon to maintain its focus on Ukraine. To protect yourself from such cyberattacks, experts recommend regularly updating operating systems and security software, being careful when opening email attachments and links, and using strong, unique passwords and two-factor authentication.
Source: www.com-magazin.de
