ESET Research investigates the Gamaredon APT group: Cyberespionage aimed at high-profile targets in Ukraine and NATO countries
Created: 2024-10-02 07:40:14
- ESET Research examined the operations of Russia-aligned advanced persistent threat (APT) group Gamaredon, which is currently the most engaged APT group in Ukraine.
- The majority of Gamaredon’s cyberespionage attacks are directed against Ukrainian governmental institutions.
- ESET saw a few attempts to compromise targets in several NATO countries - namely Bulgaria, Latvia, Lithuania, and Poland - but no successful breaches were observed.
- Gamaredon notably improved its cyberespionage capabilities, and developed several new tools in PowerShell, with a focus on stealing valuable data – from email clients, instant messaging applications such as Signal and Telegram, and web applications running inside internet browsers.
- ESET Research discovered PteroBleed, an infostealer that also focuses on stealing data from Ukrainian military system.
BRATISLAVA — September 26, 2024 — ESET Research examined the operations of Gamaredon, a Russia-aligned APT group that has been active since at least 2013 and is currently the most engaged APT group in Ukraine. Gamaredon has been attributed by the Security Service of Ukraine (SSU) to the Russian 18th Center of Information Security of the FSB, operating out of occupied Crimea. ESET believes this group to be collaborating with another threat actor that ESET Research discovered and named InvisiMole. The majority of Gamaredon’s cyberespionage attacks are directed against Ukrainian governmental institutions. However, in April 2022 and February 2023, ESET also saw a few attempts to compromise targets in several NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland, but no successful breaches were observed.
Gamaredon is using ever-changing obfuscation tricks and numerous techniques used for bypassing domain-based blocking. These tactics pose a significant challenge to tracking efforts, as they make it harder for systems to automatically detect and block the group’s tools. Nevertheless, during ESET’s investigation, ESET researchers managed to identify and understand these tactics and kept track of Gamaredon’s activities. The group has been methodically deploying its malicious tools against its targets since well before the 2022 invasion began. To compromise new victims, Gamaredon conducts spearphishing campaigns and then uses its custom malware to weaponize Word documents and USB drives accessible to the initial victim, expecting them to be shared with further potential victims.
During 2023, Gamaredon notably improved its cyberespionage capabilities, and developed several new tools in PowerShell, with a focus on stealing valuable data – from email clients, instant messaging applications such as Signal and Telegram, and web applications running inside internet browsers. However, PteroBleed, an infostealer ESET discovered in August 2023, also focuses on stealing data related to a Ukrainian military system – and from the webmail service used by a Ukrainian governmental institution.
“Gamaredon, unlike most APT groups, does not try to be stealthy and remain hidden as long as possible by using novel techniques while conducting cyberespionage operations, but rather, the operators are reckless and do not mind being discovered by defenders during their activities. Even though they do not care so much about being noisy, they still put in a lot of effort to avoid being blocked by security products and try very hard to maintain access to compromised systems,” explains ESET researcher Zoltán Rusnák, who investigated Gamaredon.
“Typically, Gamaredon attempts to preserve its access by deploying multiple simple downloaders or backdoors simultaneously. The lack of sophistication of Gamaredon tools is compensated by frequent updates and the use of regularly changing obfuscation,” adds Rusnák. “Despite the relative simplicity of its tools, Gamaredon’s aggressive approach and persistence make it a significant threat. Given the ongoing war in the region, we expect Gamaredon to continue in its focus on Ukraine,” he concludes.
For a more detailed analysis and technical breakdown of Gamaredon’s tools and activities, check out the latest ESET Research white paper “Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
Seven-day moving average of unique machines attacked in Ukraine
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.