Russian Gamaredon Spies Eye Ukrainian Counteroffensive Efforts

In Particular, the Military Secrets using a Host of Infostealer Malware Strains

Russia-backed Gamaredon hackers have intensified attacks against Ukrainian military organizations as the country ramped up its counteroffensive beginning early June against Kremlin's forces in the South.

Ukraine's National Cybersecurity Coordination Center (NCSCC) in a report published Thursday said that against the background of the new stage of military operations, the primary objectives of Gamaredon's attacks remains espionage and data theft, "in particular, secret military information," it said.</p>

The advanced persistent threat group also known as Armageddon and Primitive Bear, has been previously linked by Ukraine to the Office of the Russia's Federal Security Service (FSB) in the Republic of Crimea and the city of Sevastopol. Operational since at least 2014, the group consists of regular officers of the FSB and some former law enforcement officers of Ukraine, according to a technical report by the Security Service of Ukraine.

Ukraine's push could be a defining moment in the ongoing war but the Ukrainian officials caution against calling it a "decisive battle." Western allies are monitoring the situation in close quarters, as countries like Poland and the U.S. provide weapons to aid Kyiv's efforts. But Russia is trying to disrupt Ukraine's offensive operation both on the battlefield and in cyberspace.

Before the Ukrainian counteroffensive, the Gamaredon group stepped-up its infrastructure to carry out large volume cyberattacks on Ukrainian military and security entities.

In April and May, the hacker group registered a significant number of domains and subdomains to create a dynamic infrastructure that makes the discovery and attribution of the group's activity difficult for Ukrainian cyber defenders, the NCCC said.

The group uses legitimate services such as Cloudflare , Telegram Messenger and Telegraph instead of using its real IP addresses to hide their malicious activity.

"Using Cloudflare DNS and Telegram, the Gamaredon group managed to avoid revealing IP addresses directly in the body of their malware. Instead, the malware extracted or generated domain names from these platforms allowing the group to dynamically obtain IP addresses and reduce the risk of detection through traditional IP-based security measures and signature-based detection methods," the NCCC said.

The continued misuse of these platforms for malicious purposes, including hiding network activity, stealing data and interacting with command-and-control servers, raises concerns about their security implications.

Ukraine is thus considering to limit the use of Telegram and Telegraph services in the country's public sector to protect its confidential information and national security interests, the NCSCC said.

Historically, the hacker group is known to use phishing campaigns to bait its victims. The group's campaigns are distinguished from others due to the use of legitimate documents stolen from compromised government and military organizations. The malicious documents are often disguised as reports or official communications, which increases the likelihood of successful penetration.</p>

The hacker group's malware arsenal includes GammaDrop, GammaLoad, GammaSteel and LakeFlash strains that tend to act as infostealers and spywares.

According to a?report?by the CERT-UA ,?Gamaredon?began deploying GammaLoad and GammaSteel info stealer malware via phishing mails sent from compromised government employee accounts.

The NCCC also takes note of another malware strain called Pterodo or Pteranodon - a multipurpose tool used by Gamaredon hackers, which is designed to spy and steal data.

"Its versatility in deploying various modules makes it a powerful threat capable of penetrating and compromising target systems with precision," the NCSCC said.

While Gamaredon may not be the most technically advanced group targeting Ukraine, their tactics, techniques and procedures have improved constantly. The increasing frequency of their attacks also indicates the expansion of their capabilities and resources, and when these activities are synced with critical military events their potential impact increases tremendously, the NCSCC noted.