Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Gamaredon Hackers Amplified Hacks Amid Kyiv Counteroffensive

The FSB-Linked Group Is Growing in Sophistication, Say Ukrainian Cyber Defenders
Gamaredon Hackers Amplified Hacks Amid Kyiv Counteroffensive
A M777 howitzer in Ukraine in a 2022 photo (Image: Ministry of Culture and Information Policy of Ukraine)

A hacking group linked to Russian domestic intelligence agency the FSB has intensified attacks in tandem with a Ukrainian military push to expel Russian invaders, say Kyiv cyber defenders.

Ukraine's National Cybersecurity Coordination Center in a report published Thursday said a group tracked as Gamaredon and as Armageddon is improving its sophistication and tempo of attacks.

Gamaredon may not be the most technically advanced hacking group targeting Ukraine, but its methods show improvement, and the intensification of its attacks indicates it has more resources to draw on, the center said.

The group, which has been operational since 2013 or 2014, consists of regular officers of the FSB and some former law enforcement officers of Ukraine, the Security Service of Ukraine reported in 2021. In early June, Kyiv launched a counteroffensive against Russian forces that has been bogged down with heavy Russian defenses. CNN reported Friday that Ukrainian forces have penetrated a first line of Russian positions in the Zaporizhzhia region along the Dnipro River but still face a sprawling network of fortified trenches.

Gamaredon historically uses phishing campaigns to bait victims. The group's campaigns are distinguished from others by the use of legitimate documents stolen from compromised government and military organizations.

One sign of Gamaredon's growing financial backing was an April and May surge in registered domains and subdomains - infrastructure used for hacks initiated as the counteroffensive began, the report says. Having on tap a wide swath of domains created a dynamic infrastructure that makes discovery and attribution difficult.

The group uses legitimate services, including Cloudflare's public DNS resolver and Telegram, to extract IP addresses it uses to obscure the origin of attacks. Kyiv is considering limiting Telegram and Telegram microblogging platform Telegraph on national security grounds.

Gamaredon's malware arsenal includes malware known as GammaDrop, GammaLoad, GammaSteel and LakeFlash. One that stands out is Pterodo, a multipurpose espionage tool that Ukrainian cyber defenders call a powerful threat capable of penetrating and compromising target systems. Security researchers from Symantec earlier this summer observed Gamaredon spreading the custom backdoor through USB drives in a likely bid to reach air-gapped machines (see: Russian Hackers Using USB Malware to Target Ukraine).


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.