Behind the Cyber Curtain: Tracing Gamaredon's Espionage Footprint in Ukrainia
In the context of recent developments in cyber warfare, there's a growing concern about the activities of a Russia-affiliated cyberespionage group called Gamaredon. Identified also as Primitive Bear, ACTINIUM, and Shuckworm, Gamaredon has been active since 2014 and is primarily focused on Ukrainian targets.
A recent report from Check Point, dated November 17, highlights Gamaredon's distinct role in the Russian espionage arena.
Unlike many Russian espionage operations that tend to be covert, Gamaredon is known for its conspicuous presence. This group is largely believed to be composed of personnel from the Russian Federal Security Service (FSB), as identified by the Security Service of Ukraine (SSU).
Gamaredon's strategy involves extensive campaigns that are primarily regionally focused, yet they have a significant impact due to their scale.
These campaigns typically transition to targeted data collection efforts, likely driven by espionage objectives.
To maintain access to its targets, which prominently include security, military, and governmental organisations in Ukraine, Gamaredon employs various tools and mechanisms. A notable tool in its arsenal is a USB-propagating worm dubbed LitterDrifter.
The Gamaredon Advanced Persistent Threat (APT) group's activities have intensified following Russia's invasion of Ukraine.
The Ukrainian Computer Emergency Response Team (CERT-UA) is actively monitoring these operations, providing valuable insights into the group's tactics, techniques, and procedures (TTPs). This ongoing surveillance is crucial for understanding and mitigating the impact of Gamaredon's cyberespionage activities.
A notable aspect of Gamaredon's operations, as identified by Check Point researchers, involves large-scale campaigns that pivot to intelligence-gathering activities. In their recent offensives, they have employed a USB-propagating worm called LitterDrifter.
This worm, written in Visual Basic Script (VBS), is designed to spread automatically via USB and establish communication with a versatile command and control (C2) system.
The analysis by Check Point highlights that
“These features are implemented in a manner that aligns with the group’s goals, effectively maintaining a persistent command and control (C2) channel across a wide array of targets.”
LitterDrifter's dual functionalities are embedded within an orchestration component known as “trash.dll”, which is a misnomer as it is actually a VBS script.
The malware, upon execution, decodes and runs other modules, ensuring persistence on infected systems. It comprises a spreader module that enables the malware to propagate within the system and target other environments, particularly USB removable media.
Additionally, its C2 module establishes communication with the attacker’s C&C server and executes incoming payloads. This component is noted for its unique approach to C&C communication, utilizing domain names as placeholders for IP addresses of C2 servers.
The sophistication of Gamaredon’s approach is further evident in its obfuscation techniques. The orchestration component is heavily obfuscated, constructed from a series of strings with character substitution.
Check Point's report also indicates that LitterDrifter infections have been detected beyond Ukraine, in countries including the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong.
Despite its seeming simplicity, the effectiveness of this malware reflects Gamaredon's strategic approach to cyber warfare.
Symantec researchers have also shed light on this issue, revealing that Gamaredon has managed to remain undetected in target networks for extended periods.
Most attacks initiated in early 2023, with the group evading detection until May. Their focus is on pilfering sensitive information, which includes details about military activities and personnel. Symantec also notes that Gamaredon continually updates its toolset to evade detection.
This ongoing cyber warfare activity underscores the complex and dynamic nature of modern electronic warfare, where cyberespionage plays a critical role in geopolitical conflicts. For further information and updates, follow us on X (Twitter) @cybernewscentre and Facebook.
