Russian APT Intensifies Cyber Espionage Activities Amid Ukrainian Counter-Offensive

Cyber Security Threat Summary:
According to a new report from the National Security and Defense Council of Ukraine, the Russian Gamaredon group has intensified their cyber espionage activities ahead of and during Ukraine’s current counter-offensive operations.

The Russian affiliated group has plagued Ukraine with cyber attacks going back to 2013. The group’s recent activities aim at stealing sensitive data from military and government entities, specifically those carrying out offensive attacks against Kremlin troops.

Security Officer Comments:
Gamaredon has registered a substantial number of domains and subdomains which it uses to launch attacks against Ukrainian entities. This domain infrastructure, which utilizes legitimate services, enables the group to quickly rotate and obfuscate it’s activities, which hampers attribution and impairs defenses. “In one example from earlier this year, Gamaredon used Cloudflare's public DNS resolver, cloudflare-dns[.]com, and the popular messaging app Telegram as conduits for extracting IP addresses required for the following stages of their operations. These services camouflaged the true intent behind this action” (Info Security Magazine, 2023).

There has also been a notable uptick in phishing attacks attributed to the group. These campaigns leverage legitimate documents stolen from compromised entities to trick victims into downloading malware and providing initial access for further attacks. These documents are often disguised as reports of official communications. The report added that the group has a “formidable” arsenal of malware used in its phishing campaigns, including GammaDrop, GammaLoad, GammaSteel and LakeFlash.

Suggested Correction(s):
The report warns of Gamaredon’s strategic timing, and urges Ukrainian military organizations to remain vigilant to their latest tactics, techniques, and procedures (TTPs). “The alignment of their activities with critical military events amplifies their potential impact. Organizations must recognize the evolving nature of their threat and bolster their cybersecurity measures and international cooperation in cyber threat intelligence sharing accordingly,” it stated.