skip to Main Content

Cyber Espionage, Gamaredon targets again Ukraine with new tools

Vitali Kremez: Gamaredon state-sponsored hackers have recently improved their toolset and ramped up attacks on Ukrainian national security targets

Pro-Russia Gamaredon state-sponsored hackers have recently improved their toolset and ramped up attacks on Ukrainian national security targets. It has been discovered by the cyber security expert Vitali Kremez, head of SentinelLabs. The researcher has been tracking an uptick in APT’s cyberattacks on Kiev military and security institutions that started in December. These include digital attacks on physical infrastructure and field hardware, including artillery, along with cyber-espionage. One of the latter campaigns was a series of reconnaissance actions against the Hetman Petro Sahaidachnyi National Ground Forces Academy, and spyware implants were spotted in a range of Ukrainian governmental targets. “Based on SentinelLabs visibility into the APT Gamaredon victims telemetry – it’s reported on a company’s post -, the group affected a large disposition of victim across Ukrainian separatist line with more than five thousand unique Ukrainian entities affected for the past months”.

Why the pro-Russia APT is increased recently cyber espionage activity against Kiev

The cyber security expert explained that “in December 2019, when we observed an increase in Gamaredon activities, the Normandy group met in Paris to advance the long-term peace talks. The subjects discussed suggest that the Minsk Efforts are advancing towards the peacebuilding stage from the initial peacemaking. DDR (Disarmament, Demobilization, and Reintegration) initiatives, resettling of refugees, establishment of joint armed forces and police groups, exchange of POWs and withdrawal of heavy-armed vehicles from Donbas – the format of such discussions suggest that applying traditional kinetic powers to win the Eastern Ukrainian battlefield is not an option for either side. Russia has recently achieved an unprecedented rapprochement with French President Emmanuel Macron, a key player in the Normandy group, and any outbreak of violence on the Ukrainian-Militia separation line may have fatal consequences for this new partnership. This overall strategic framework makes the APT well-positioned for the conflict”.

The malicious hackers goals according to the cyber security experts

“By performing their attacks, Gamaredon simultaneously achieves several goals which traditional military can not achieve while locked in the defensive modality implemented by the Minsk Accords – Kremez underlined -. First, by performing efficient cyber espionage against institutions such as the Hetman Petro Sahaidachnyi National Ground Forces Academy both in Lviv and Starychy, the APT increases the military preparedness of the Donbas militias and local paramilitary groups. In case of a doomsday scenario in which the two sides clash on the battlefield again, the intelligence about hardware, tactical methods, gear, and personnel gathered will serve as an edge for the separatists. Second, by accomplishing successful attacks against the Ukrainian military, the Russian state-sponsored hackers may obtain crucial information about strategic plans or internal issues. This information can be integrated into the information warfare and political campaigns initiated by Moscow intelligence forces against Ukraine. Most importantly, activities are a testing ground for the Russian military to observe the potential of utilizing cyber warfare in a contemporary violent conflict or in a state-wide political confrontation”.

The new APT toolset

Last Gamaredon campaign sees the malware implant components packaged as self-extracting zip-archive (.SFX): a batch script, a binary processor .NET component, and Macro payloads. Some of their previous social engineering campaigns relied on intricate understanding of geopolitical and military status in Ukraine using as lures intercepting intelligence related to the military pro-Russian operation in Ukraine. But APT recent targeting reveals the newer .NET framework Interop integrator “Microsoft.Vbe.Interop” with subsequent Microsoft Office Excel and Word Macro stager. The malicious hackers use a system of server-side forwarders to process traffic from compromised victim machines oftentimes relying on dynamic DNS providers. The newer tool included the updated execution via obfuscated .NET application of Excel and Word macros with the hardcoded CLSID GUID. Furthermore, the malware Interop component uses the fake Microsoft digital certificate belonging to Microsoft Time-Stamp Service.

Back To Top