ESET Research has recently completed an in-depth technical analysis of the toolset used by the cyberespionage group Gamaredon in their activities focused on Ukraine. The ongoing conflict in Ukraine, particularly with Russia’s invasion in 2022, has created a complex environment that includes disinformation campaigns and cyberwarfare. Over the years, ESET Research has uncovered various high-profile cyberattacks carried out by Russia-aligned advanced persistent threat (APT) groups targeting Ukrainian entities.
Gamaredon, a group linked to Russia and active since at least 2013, has emerged as a prominent cyber threat in Ukraine. Despite the escalation of physical conflict in recent years, Gamaredon has maintained a consistent level of cyber activity, deploying its malicious tools methodically against targets even before the invasion.
The comprehensive analysis conducted by ESET Research delved into Gamaredon’s tactics and tools used for cyberespionage in 2022 and 2023. The research revealed the group’s evolving obfuscation techniques and strategies to bypass domain-based blocking, posing challenges to detection and tracking efforts. By examining thousands of samples, researchers were able to uncover insights into Gamaredon’s operations and the relationships among the various tools employed.
Attributed to the 18th Center of Information Security of the FSB in Crimea by the Security Service of Ukraine, Gamaredon is known for targeting Ukrainian governmental institutions. While the majority of their attacks are directed at Ukrainian entities, there have been isolated attempts to compromise targets in NATO countries like Bulgaria, Latvia, Lithuania, and Poland. However, no successful breaches were observed in those instances.
Between November 2022 and December 2023, over a thousand unique machines in Ukraine were targeted by Gamaredon, as illustrated by a seven-day moving average graph. The group’s approach to compromising victims involves spearphishing campaigns and the use of custom malware to weaponize documents and USB drives accessible to initial victims.
Unlike many APT groups that prioritize stealthiness, Gamaredon’s operators are more reckless and less concerned with remaining hidden. They deploy simple downloaders and backdoors simultaneously to maintain access to compromised systems, regularly updating their tools and employing obfuscation techniques.
In recent years, Gamaredon has shifted towards utilizing VBScript and PowerShell, enhancing their cyberespionage capabilities and developing new tools focused on stealing data from various sources. The group’s toolset includes downloaders, droppers, stealers, backdoors, and ad hoc tools, each serving specific functions within their operations.
To evade detection and blocking, Gamaredon constantly switches C&C IP addresses and domains, utilizing fast flux DNS techniques and leveraging third-party services like Telegram and Cloudflare. Despite the simplicity of their tools, Gamaredon poses a significant threat due to their aggressive approach and persistence, particularly in the context of ongoing conflict in Ukraine.
For a detailed technical breakdown of Gamaredon’s activities and tools, the full ESET Research white paper is available for further examination. Additionally, a list of indicators of compromise (IoCs) can be accessed on ESET’s GitHub repository for those interested in monitoring and detecting potential Gamaredon activity.