Government agencies from Ukraine have disclosed the identity of five members of the Gamaredon cyberespionage group that has been targeting the country since 2014. All the identified members allegedly work for a Russian federal agency.

About Gamaredon

The Gamaredon group is behind various malicious phishing campaigns aimed at Ukrainian institutions, and harvesting sensitive information from infected Windows systems for geopolitical interests.
  • The group allegedly carried out around 5,000 cyberattacks against public authorities and the critical infrastructure of Ukraine and attempted to target over 1,500 government computer systems.
  • Their most attacks are aimed at security, defense, and law enforcement agencies to get intelligence information.

Findings from the investigation

The Security Service of Ukraine (SSU) has claimed that the Gamaredon threat group is suspected to be a special project of the Russian Federal Security Service (FSB) and specifically targets multiple industries in Ukraine.
  • The Ukrainian authorities have accused five individuals of espionage, treason, causing inference in the work of electronic computers along with delivery and use of malware.
  • All five individuals were working under the guidance of the 18th Center of Information Security of the FSB. Moreover, all are officers of the Crimean FSB who sided with Russian interests. 
  • To be noted, the five men have not been detained yet, however, officials are in hope that the making their names public could, if nothing, can help curb their operations.

What were the group’s toolset and tactics?

In their technical report, experts provided information regarding Gamaredon’s toolset and tactics.
  • The group is known for using Outlook macros and the deploy EvilGnome backdoor to target systems.
  • They exploit vulnerabilities such as the CVE-2018-20250 (WinRAR) and CVE-2017-0199 (MS Office).
  • They use removable media to plant malware on offline systems and then move laterally in isolated networks.
  • Moreover, the group uses a modular remote administration tool known as Pteranodon.

The bottom line

The report suggests that nation-states are allegedly sponsoring offensive cyber capabilities to their advantage. The technical details released in the report are expected to help researchers link this group with other unknown incidents in the past.

Cyware Publisher

Publisher

Cyware