Threat Management, Governance, Risk and Compliance

Russia-linked Gamaredon espionage up ‘tenfold’ in Ukraine during war

Olena Siksoy kisses a picture of her son  and Ukrainian soldier Ruslan Siksoy during his burial at the Lychakiv Cemetery on April 17, 2022, in Lviv, Ukraine. (Photo by Joe Raedle/Getty Images)

The Russia-linked actor Gamaredon has exponentially increased espionage in Ukraine during the war effort, targeting victims across multiple verticals.

"I'd say, in the past two months, we have seen a tenfold increase in their activity," said Vikram Thakur, technical director of Broadcom's Symantec security division. While other groups have fluctuated in volume of attacks in the past, the increased pace is faster than other actor groups.

While Symantec does not attribute threat groups to specific nations, several researchers, as well as the government of Ukraine, have linked Gamaredon to Russia in the past. Ukraine has gone as far as accusing five Crimean operatives of treason, alleging the group were FSB agents directed by Moscow to participate in the attacks.

Gamaredon is known primarily for phishing attacks and has almost entirely been observed in Ukraine since being discovered just under a decade ago. A new blog, out Wednesday, from Symantec Threat Research, notes that "Shuckworm is not the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations."

The new blog notes four new variants of Pteredo (also called Pterodon) being used in the breaches, variants of the same VBScript dropper modified for different purposes. All of them drop VBScripts with different functions, but similar underlying code.

While the variants are only being seen in Ukraine, there is little else linking the victims — less a grand strategy than an all-out blitz, said Thakur.

"It's all across different verticals. So, to us, it appears that they probably just were sent a list of [unrelated] Ukrainian entities," he said.

The wave of breaches is supported by "hundreds" of command-and-control servers, with little overlapping use from victim to victim. Symantec speculates the move minimizes the risk that any single server is taken offline.

The new tools have been used almost exclusively seen in Ukraine.

Gamaredon's change in volume and narrowing of an already narrow focus is a rare look at how an active, well-developed cyberespionage group changes pace when there are extreme shifts in the world order.

"If you're an American company, and your incident response plan calls for a seven-day preparation to react to escalations happening in geopolitics, CISOs should look at this and say, 'OK, we need to taper that seven-day window down to maybe two days or one day,'" said Thakur.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.