Ukrainian CERT has released reports that Russian threat actor Gamaredon, also known as UAC-0010, Primitive Bear, BlueAlpha, ACTINIUM, and Trident Ursa, is actively renewing its attack efforts. The Sevastopol group is reportedly operating out of Crimea and following instructions from the FSB Information Security Center in Moscow.
“Gamaredon has conducted multiple cyberattacks against Ukraine since its inception in June 2013, a few months before Russia forcibly annexed the Crimean Peninsula. We‘ve seen a significant increase in their activity recently, and the group remains the most active, intrusive, and widespread APT,” says Doron Davidson of Logpoint . “We are closely monitoring the situation to stay current with threat intelligence and countermeasures to mitigate the risk of Gamaredon.”
Spy software GammaLoad and GammaSteal
According to Ukraine’s State Service of Special Communication and Information Protection, Gamaredon focuses more on stealing and espionaging information than destroying it, and increasingly uses GammaLoad and GammaSteal spy software. These malware variants are custom-made information-stealing implants that can exfiltrate files with specific extensions, steal user credentials, and take screenshots of the victim’s computer.
Logpoint’s investigation into GammaLoad and GammaSteal shows that the malware variants are distributed via spear phishing emails from compromised government employees, delivering malicious HTML files, Office and phishing web pages to the targeted devices. The malware is designed to attack all Windows, Linux and operating systems.
Logpoint’s Gamaredon Report provides a detailed analysis of the threat actor’s techniques, indicators of compromise, and insights into analyzing and responding to such security incidents.