In a world where warfare has expanded far beyond physical battlefields, the Ukrainian government's Computer Emergency Response Team (CERT-UA) has shed light on the evolving threat posed by an Advanced Persistent Threat (APT) known as UAC-0010, also recognized as Armageddon or Gamaredon, the Ukranian state service on special communications announced on July 14.
In a recent advisory published on July 13, 2023, CERT-UA revealed the quicksilver methods employed by this APT group to steal data.
The Gamaredon group, allegedly composed of former Ukrainian Security Service (SBU) officers who defected to the Russian FSB in 2014, uses cyber espionage to target Ukraine's security forces and undermine their information infrastructure.
Their tactics involve infecting government computers, particularly within communication systems, using compromised accounts and various communication platforms such as emails, Telegram, WhatsApp, and Signal messages.
Moreover, the group uses malware like GammaSteel to swiftly exfiltrate files, primarily targeting documents with specific extensions, and can accomplish this within a shockingly short timeframe of 30-50 minutes.
Post-infection, a victim's computer can harbor between 80 to 120 malicious files for roughly a week, excluding files on removable media.
Reinfection is not merely possible but highly probable if any infected files remain during the disinfection process. The initial compromise often occurs when victims receive an archive containing HTM or HTA files that initiate the infection chain.
The group heavily relies on PowerShell for document theft and remote command execution. In certain scenarios, they may install Anydesk for interactive remote access. Their tactics are evolving, continuously adapting to defensive measures in a relentless pursuit of their objectives.
The group has even mastered PowerShell scripts to bypass two-factor authentication and frequently changing IP addresses to remain undetected.
CERT-UA's publication serves as both a warning and a guide, offering a list of indicators of compromise (IoCs) to aid in the detection of Gamaredon's activities.
The report urges Ukrainian military personnel to install endpoint detection and threat response (EDTR) software, especially for systems operating outside the protection perimeter, including those using Starlink terminals for Internet access.
This advisory follows a report published by cybersecurity giant Symantec in June, which suggests a significant intensification of Gamaredon's attacks on Ukraine between January and April 2023.