Russian APT group Gamaredon has intensified its cyber espionage activities ahead of and during Ukraine’s counter-offensive operations, according to a new report from the National Security and Defense Council of Ukraine.
The government agency said the Russia-affiliated group, which has consistently targeted Ukraine since 2013, is ramping up attacks on military and government entities with the aim of stealing sensitive data relating to its counter-offensive operations against Kremlin troops.
The war in Ukraine has reached a critical point, with Kyiv currently undertaking a much-publicized counter-offensive designed to push back Russian forces from its territory.
The Council observed a “notable surge” in Gamaredon’s infrastructure preparations in the build-up to the counter-offensive, during April and May 2023.
Going Under the Radar
It registered a substantial number of domains and subdomains in this period, which were subsequently used to launch attacks against Ukrainian military and security organizations.
This dynamic infrastructure, utilizing legitimate services, enables the group to rotate quickly and obfuscate its activities, making detection and attribution challenging, stated the report.
In one example from earlier this year, Gamaredon used Cloudflare's public DNS resolver, cloudflare-dns.com, and the popular messaging app Telegram as conduits for extracting IP addresses required for the following stages of their operations. These services camouflaged the true intent behind this action.
The report noted: “By leveraging services like Cloudflare DNS, Telegram, and Telegraph, the group underscores their commitment to maintaining secrecy and adaptability.”
The Council also observed an escalation of phishing attacks by the group amid Ukraine’s counteroffensive. It said these campaigns stand out due to Gamaredon’s use of legitimate documents stolen from compromised entities. These documents are disguised as reports or official communications, increasing the chances of recipients downloading the malicious file.
The report added that the group has a “formidable” arsenal of malware used in its phishing campaigns, including GammaDrop, GammaLoad, GammaSteel and LakeFlash.
Concluding, the Council emphasized the dangers posed by Gamaredon’s strategic timing, and urged military organizations to be vigilant to its tactics.
“The alignment of their activities with critical military events amplifies their potential impact. Organizations must recognize the evolving nature of their threat and bolster their cybersecurity measures and international cooperation in cyber threat intelligence sharing accordingly,” it stated.
The report follows an advisory issued by the Ukrainian government's Computer Emergency Response Team (CERT-UA) in July 2023 that unveiled the rapid data theft methods used by Gamaredon.