Palo Alto Networks’ Unit 42 released a report detailing cyber activities of Gamaredon, an advanced persistent threat (APT) group linked to Russia’s Federal Security Service, which is mostly known for their attacks targeting entities in Ukraine.
Tracked as Trident Ursa, UAC-0010, Primitive Bear, or Shuckworm, the group has been active since at least 2014 and is one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine. The threat actor uses phishing emails for malware distribution and provides access to compromised networks and intelligence to other cybercriminals.
Although Gamaredon is mainly focused on Ukraine, over the past few months the group has been observed expanding its targeting beyond the country to Ukrainian and NATO allies. Specifically, in August 2022, the group tried, albeit unsuccessfully, to breach a large petroleum refining company within a NATO member nation using English lures.
The Unit 42 team also discovered that on the day of Russia’s invasion of Ukraine on February 24, an individual named Anton, who appeared to have ties to Gamaredon, threatened a small group of cybersecurity researchers on Twitter, who highlighted Gamaredon’s Indicators of Compromise in the days prior to the invasion. However, the targeted researchers were undaunted, and tweeted additional Trident Ursa IoCs over the weeks following the threats.
In the past few months, the group was observed using various DNS-related techniques to increase the resilience of their operations, and to make analysis of their infrastructure more difficult.
Gamaredon remains an agile and adaptive APT that mostly relies on publicly available tools and scripts – along with a significant amount of obfuscation – as well as routine phishing attempts to successfully execute their attacks.
“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains and new techniques and try again – often even reusing previous samples,” Unit 42 notes. “Continuously operating in this way since at least 2014 with no sign of slowing down throughout this period of conflict, Trident Ursa continues to be successful. For all of these reasons, they remain a significant threat to Ukraine, one which Ukraine and its allies need to actively defend against.”