Ukraine's CERT-UA Exposes Gamaredon's Rapid Data Theft Methods

Written by

The Ukrainian government's Computer Emergency Response Team (CERT-UA) has recently unveiled the rapid data theft methods of the APT known as UAC-0010 (aka Armageddon, Gamaredon).

Writing in a new advisory (in Ukrainian) published on July 13, 2023, CERT-UA said Gamaredon comprises former Ukrainian Security Service (SBU) officers in Crimea, who defected in 2014 and started serving the Russian FSB.

Gamaredon's primary aim is cyber espionage against Ukraine's security forces, with evidence of destructive actions on information infrastructure targets.

The group mainly infects government computers, particularly within communication systems, often using compromised accounts and various tactics such as emails and Telegram, WhatsApp and Signal messages. 

They also utilize malware like GammaSteel to rapidly exfiltrate files within 30-50 minutes, primarily focusing on documents with specific extensions.

After the initial infection, a victim's computer may contain 80 to 120 malicious files for about a week, excluding files on removable media. Reinfection is highly likely if any infected files are left during the disinfection process.

Gamaredon's preferred method of initial compromise involves sending victims an archive containing HTM or HTA files that initiate the infection chain.

The group heavily relies on PowerShell for document theft and remote command execution, and they may install Anydesk for interactive remote access.

Read more on attacks leveraging Anydesk: Daggerfly APT Targets African Telecoms Firm With New MgBot Malware

To evade detection, Gamaredon continuously adapts to defensive measures, using PowerShell scripts to bypass two-factor authentication and changing IP addresses frequently.

The CERT-UA article provides a list of indicators of compromise (IoC) for the effective detection of Gamaredon.

It also urges Ukrainian military personnel to install endpoint detection and threat response (EDTR) software to minimize risks, especially for systems outside the protection perimeter, including those using Starlink terminals for Internet access.

The advisory follows findings published by Symantec in June suggesting Gamaredon intensified attacks on Ukraine between January and April 2023.

What’s hot on Infosecurity Magazine?