Cybersecurity researchers said on Monday they uncovered evidence of attempted attacks by a Russia-linked hacking operation targeting a Ukrainian entity in July 2021.
Broadcom-owned Symantec, in a new report released on Monday, attributed the attacks to an actor identified as Gamaredon (aka Shuckworm or Armageddon), a cyber espionage collective known to have been active since at least 2013.
In November 2021, Ukrainian intelligence agencies called the group a “special project” of the Russian Federal Security Service (FSB), in addition to pointing the finger at it for carrying out more than 5,000 cyberattacks against public authorities and infrastructure. reviews located in the country.
Gamaredon attacks typically stem from phishing emails that trick recipients into installing a custom remote access trojan called Pterodo. Symantec revealed that between July 14, 2021 and August 18, 2021, the actor installed several variants of the backdoor and deployed additional scripts and tools.
“The attack chain started with a malicious document, likely sent via a phishing email, which was opened by the user of the infected machine,” the researchers said. The identity of the organization concerned has not been disclosed.
Towards the end of July, the adversary exploited the implant to download and run an executable file that acted as a dropper for a VNC client before establishing connections to a remote command and control server. under their control.
“This VNC client appears to be the ultimate payload for this attack,” the researchers noted, adding that installation was followed by access to a number of documents ranging from job descriptions to sensitive company information. on the compromised machine.
Ukraine denounces false flag operation in wiper attacks
The findings come amid a wave of disruptive and destructive attacks launched against Ukrainian entities by suspected Russian state-sponsored actors, resulting in the deployment of a file eraser dubbed WhisperGate, around the same time as several government-owned websites were defaced.
A subsequent investigation into the malware has since revealed that the code used in the wiper was repurposed from a fake ransomware campaign called WhiteBlackCrypt that targeted Russian victims in March 2021.
Interestingly, the ransomware is known to include a trident symbol – which is part of Ukraine’s coat of arms – in the ransom note it displays to its victims, leading Ukraine to suspect that it this may have been a deliberate false flag operation to blame a ‘fake’ pro-Ukrainian group for staging an attack on their own government.