Microsoft on Friday shared more of the tactics, techniques, and procedures (TTPs) adopted by the Russia-based Gamaredon hacking group to facilitate a barrage of cyber espionage attacks aimed at several entities in Ukraine over the past six months.
The attacks are said to have singled out government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations with the main goal of exfiltrating sensitive information, maintaining access, and leveraging it to move laterally into related organizations.
The Windows maker’s Threat Intelligence Center (MSTIC) is tracking the cluster under the moniker ACTINIUM (previously as DEV-0157), sticking to its tradition of identifying nation-state activities by chemical element names.
The Ukrainian government, in November 2021, publicly attributed Gamaredon to the Russian Federal Security Service (FSB) and connected its operations to the FSB Office of Russia in the Republic of Crimea and the city of Sevastopol.
“Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis,” MSTIC researchers said.
It’s worth pointing out that the Gamaredon threat group represents a unique set of attacks divorced from last month’s cyber offensives that knocked out multiple Ukraine government agencies and corporate entities with destructive data-wiping malware disguised as ransomware.
The attacks primarily leverage spear-phishing emails as an initial access vector, with the messages carrying malware-laced macro attachments that employ remote templates containing malicious code when the recipients open the rigged documents.
In an interesting tactic, the operators also embed a tracking pixel-like “web bug” within the body of the phishing message to monitor if a message has been opened, following which, the infection chain triggers a multi-stage process that culminates in the deployment of several binaries, including —
- PowerPunch — A PowerShell-based dropper and downloader used to retrieve the next-stage executables remotely
- Pterodo — A constantly evolving feature-rich backdoor that also sports a range of capabilities intended to make analysis more difficult, and
- QuietSieve — A heavily-obfuscated .NET binary specifically geared towards data exfiltration and reconnaissance on the target host
“While the QuietSieve malware family is primarily geared towards the exfiltration of data from the compromised host, it can also receive and execute a remote payload from the operator,” the researchers explained, while also calling out its ability to take screenshots of the compromised host about every five minutes.
This is far from the only intrusion staged by the threat actor, which also struck an unnamed Western government organization in Ukraine last month via a malware-laced resume for an active job listing with the entity posted on a local job portal. It also targeted the country’s State Migration Service (SMS) in December 2021.
The findings also arrive as Cisco Talos, in its continuing analysis of the January incidents, disclosed details of an ongoing disinformation campaign attempting to attribute the defacement and wiper attacks to Ukrainian groups that date back at least nine months.