A Russian hacking group that has been targeting Ukraine for almost a decade has mounted “multiple” cyberattacks against the country’s security services, military and government agencies in recent months in a slow-burn espionage campaign.
According to research released Thursday by Symantec, the threat actor, named Shuckworm (or Gamaredon) has been observed gaining access and lurking in Ukrainian systems for months at a time in an effort to steal wartime intelligence.
“In some cases, the Russian group succeeded in staging long-running intrusions, lasting for as long as three months,” the Symantec research claims. “The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more.”
Symantec said the most recent attacks began in February and March, with Gamaredon maintaining access to some victim devices through May. They targeted machines that “contained what appeared from file names to be sensitive military information.”
“There were indications in some organizations that the attackers were on the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations was a priority for the attackers, among other things,” Symantec stated.
Since the start of the war, U.S. officials have remarked that Russian hacking groups have lobbed an “enormous” amount of cyberattacks against Ukraine. Earlier observed operations were defined by a focus on achieving destructive effects, such as deploying wiper malware and attempting to disrupt or degrade high value targets, like ViaSat, that provided essential or strategic services to the Ukrainian government and military.
Wiper attacks haven't gone away. Russian APT group Sandworm was observed deploying a new variant of the malware in Ukraine as recently as January, while Microsoft this week attributed the "WhisperGate" campaign to a newly identified hacking group associated with the Russian Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The collective impact of this early destructive phase on Ukrainian military operations was muted, and at some point the strategy in Moscow shifted. The volume of cyberattacks noticeably dropped, with some U.S. national security observers speculating that Russia may have burned much of its stockpile of zero-day exploits in the first months, when the Kremlin may have been more confident the war would be short. After a brief respite the activity picked back up again, but this time much of the hacking activity was redirected towards organizations and assets that could provide wartime intelligence to potentially help Russian troops on the battlefield.
However, Gamaredon is no latecomer; the group has been laser-focused on Ukraine since at least 2014. While they have consistently relied on mainstays like social engineering and spearphishing to gain initial access to victims, they’ve managed to stay relevant over the years by constantly switching up their hacking tools and infrastructure.
In January, Blackberry’s research and intelligence team reported that the group was using Telegram accounts as command-and-control infrastructure to profile victims and nudge them towards servers that delivered malware. Symantec reports the same activity, adding that more recently the group has begun leveraging Telegram’s micro-blogging site Telegraph to store command and control addresses.
The group has also been spotted using a new Powershell script to infect devices with custom malware — called Pterodo. Pterodo copies itself on victim machines and takes on provocative filenames like “porn_video.rtf.lnk” or “do_not_delete.rtf.lnk” to lure curious users into opening them. Then it executes a script to download additional malware payloads and copies itself to any connected USB drives. Symantec believes these drives may be for follow on operations to reach air-gapped machines and systems.
Symantec’s research aligns with other sources who have tracked a broader shift in Russian cyberspace operations in Ukraine away from short-term smash-and-burn tactics and towards longer plays for espionage and intelligence gathering.
In November 2022, a pair of Mandiant researchers detailed how Russian hacking groups were increasingly exploiting “edge” IT infrastructure in Ukraine, like mail servers, routers, firewalls and VPNs, that support a hybrid approach where teams could decide to deploy wipers or exfiltrate data while still maintaining persistence.
More recently, Serheii Demediuk, Deputy Secretary of the National Security and Defense Council of Ukraine, remarked this week that “Russia has changed its cyber tactics in the Ukrainian cyberspace.”
“Public and destructive cyber attacks are hardly detected anymore. Instead, they engage in collecting confidential data and conducting reconnaissance. They are attempting to establish a presence in critical infrastructure systems and defense forces,” he said on Twitter June 13.
Demediuk also expressed his “opinion” that the change was related to a broader shift by Russian hacking groups towards operations targeting the U.S. 2024 elections, though he offered no evidence for his speculation.
