Threat Actor: Gamaredon Group

Date of Activity: ~2013-Present Overview: The Gamaredon Group is a sophisticated cybercriminal organization that has been active since at least 2013. This group is believed to be based in Ukraine (Crimea) and is known for its advanced malware campaigns targeting government agencies, military organizations, and financial institutions. Gamaredon Group is one of the most prolific threat actors in the Ukrainian cybercrime landscape. The group's operations are characterized by a high level of organization and technical skill, making it a formidable adversary to many organizations. The group primarily focuses on the ex-Soviet republics, but it has been known to target other countries as well. The group's operations typically begin with spear-phishing campaigns, where they send targeted emails to their victims. These emails contain malicious attachments or links that, once clicked, infect the victim's computer with malware. The malware used by Gamaredon Group is typically designed to steal sensitive data, such as login credentials or financial information. One of the most notable campaigns conducted by the Gamaredon Group was in 2015 when they targeted the Ukrainian government. The group sent a series of spear-phishing emails to Ukrainian officials and politicians, infecting their computers with malware. This malware was then used to steal sensitive documents and information, which the group then leaked online. The group is also known for its use of custom malware, which is designed specifically for their campaigns. One such malware is the "Pterodo" malware, which is a backdoor that allows the group to take control of infected computers remotely. The group has also been known to use a variety of other malware, including trojans and ransomware. In recent years, the Gamaredon Group has expanded its operations to include social media platforms. The group has been known to create fake social media accounts to target its victims, using them to spread malware or to gather information about their targets. The group's motivations are not entirely clear, but it is believed that they are financially motivated. The group is known to sell stolen data on the dark web, and they may also receive payment for their services from other cybercriminal organizations. It is also believed the group has ties to the Russian Intelligence Services and the Russian government.

TTPs:

• Nation-state tool set; to include implants, exploits, and RATs

• Intelligence collection against corporations, militaries, and governments

• Sophisticated spear phishing TTPs and use of social media

• Long-term access to networks with deep access

• Targeted and Custom malware