Russian cyberattacks against Ukraine have nearly tripled during the last year, and Ukrainian Defence Minister, Oleksii Reznikov, says he is concerned that Russia will renew this offensive to coincide with the anniversary of the all-out war.
Ukraine’s National Security and Defence Council has issued a warning that Russia could conduct a large-scale cyberattack as part of its renewed aggression.
Ukranian CERT has released reports stating that the Russian threat actor, Gamaredon – also known as UAC-0010, Primitive Bear, BlueAlpha, ACTINIUM, and Trident Ursa – is actively renewing its attack efforts. Reportedly, the group operates from Sevastopol in Crimea and follows instructions from the FSB Centre for Information Security in Moscow.
“Gamaredon has carried out several cyberattacks against Ukraine since it originated in June 2013, a few months before Russia forcibly annexed the Crimean Peninsula,” says Doron Davidson, Logpoint VP Global Services. “We’ve recently seen significant spikes in their activities and the group remains the most active, intrusive, and pervasive APT.
“We’re monitoring the situation closely to keep up with threat intelligence and defence techniques that can mitigate the risk of Gamaredon,” Davidson adds.
Ukraine’s State Service of Special Communication and Information Protection states thatGamaredon focuses more on information stealing and espionage than destruction, and increasingly uses GammaLoad and GammaSteal spyware. These malware variants are custom-made information-stealing implants that can exfiltrate files of specific extensions, steal user credentials, and take screenshots of the victim’s computer.
Logpoint’s investigation into GammaLoad and GammaSteal shows that the malware variants get delivered via spear-phishing emails from compromised government employees, including malicious HTML files, Office documents, and phishing websites to target devices. The malware is designed to attack all Windows, Linux, and Android operating systems.
“It’s always crucial to detect an attack before it takes root in the systems,” says Davidson. “With Gamaredon and other APTs, it’s not enough to follow best practices. You need to have capabilities to efficiently detect threats based on known indicators of compromise, using active monitoring and incident response plans.”