Gamaredon_activity GAMAREDON ACTIVITY AMID UKRAINE’S COUNTEROFFENSIVE 2 This report highlights the strategic view on the increased threat posed by the Gamaredon Advanced Persistent Threat (APT) group targeting Ukrainian military organizations during a recent Ukrainian counteroffensive. The report delves into the nature of Gamaredon APT, its links to Moscow, recent tactics and techniques, including used malware and network infrastructure, and its potential implications for Ukrainian military organizations during a counteroffensive operation. E X E C U T I V E S U M M A R Y 3 UNVEIL ING THE THREAT LANDSCAPE The Gamaredon group, a longstanding cyber adversary, has significantly escalated its activities in recent years. Emerging around 2013, Gamaredon initially targeted Ukrainian entities across various sectors, including government, defense, and critical infrastructure. However, the group's operations have since expanded in scope and sophistication, reflecting a calculated evolution in their tactics, techniques, and procedures (TTPs). Gamaredon primary objectives include espionage and data theft. Their arsenal comprises a range of custom-developed malware, often delivered through cunning spear-phishing campaigns. These campaigns deploy trojanized documents to compromise victims' systems. Once inside a target network, Gamaredon operators employ advanced techniques to maneuver stealthily, exfiltrate valuable data, and maintain persistence. Attribution of cyberattacks remains a complex endeavor, but strong indicators point to Gamaredon affiliation with Moscow. In 2021 the Security Service of Ukraine (SSU), have diligently investigated Gamaredon activities and linked the group to the directorate of Federal Security Service (FSB) of Russia's annexed Crimea region. This connection underlines the state-sponsored nature of Gamaredon's operations and highlights its involvement in broader geopolitical maneuvers. Recent developments have seen Gamaredon intensify its efforts during a Ukrainian counteroffensive. By targeting Ukrainian military organizations and government entities during this sensitive period, the group seeks to gather intelligence and steal sensitive military information to disrupt Ukrainian counteroffensive operations. 4 DOMAIN ROTATION AND INFRASTRUCTURE COMPLEXITY Gamaredon tactics have shown a consistent pattern of domain rotation and infrastructure complexity. This approach involves registering a substantial number of domains and subdomains, which are then parked with specific IP addresses. It creates a dynamic infrastructure that can be quickly rotated, making detection and attribution challenging for defenders. Recent analysis of Gamaredon activity highlights certain Autonomous System Numbers (ASNs) that have become prominent in their strategy. The group overwhelmingly prefers Autonomous System Labels: GIR-AS (GLOBAL INTERNET SOLUTIONS LLC) and DIGITALOCEAN-ASN (DigitalOcean, LLC). The use of GLOBAL INTERNET SOLUTIONS LLC, which is located in Sevastopol the city in temporarily occupied Crimea, can also state the group’s links to the directorate of Federal Security Service (FSB) in Crimea. Figure.1 Breakdown of Autonomous System Labels used by Gamaredon in their last campaigns. 5 Leading up to a significant event like Ukraine's counteroffensive, Gamaredon displayed a notable surge in its infrastructure preparations. In April and May, the group engaged in registering a substantial number of domains and subdomains. This infrastructure was then used in attacks against Ukrainian military and security organizations amid counteroffensive. Figure.2 Chronology of domains creation. 6 HIDING UNDER THE HOOD OF LEGIT IMATE SERVICES The group has adeptly embraced the use of legitimate services to obfuscate its network activity, making detection and attribution increasingly challenging. Recent instances involving Cloudflare, Telegram, and Telegraph highlight Gamaredon's innovative approach to concealing its activities. Earlier this year, Gamaredon demonstrated its audacity by utilizing seemingly benign platforms for malicious purposes. Cloudflare's public DNS resolver, cloudflare-dns.com, and the popular messaging app Telegram became conduits for extracting IP addresses required for the next stages of their operations. These services acted as a cover, camouflaging the true intent behind their actions. By employing Cloudflare DNS and Telegram, Gamaredon managed to avoid disclosing IP addresses directly within the body of their malware. Instead, the malware would retrieve or generate domain names from these platforms, allowing the group to extract IP addresses dynamically and reduce the risk of detection. This dynamic approach thwarted conventional IP-based security measures and signature-based detection techniques. Figure.3 Deobfuscated code of GammaLoad malware that establishes connection to cloudflare-dns.com. 7 Gamaredon's commitment to network concealment remains steadfast. The group shifted to the use of Telegram and Telegraph services for the same purpose. Utilizing these platforms enables them to maintain a veil of legitimacy, evading detection mechanisms that often rely on detecting malicious IP addresses. Figure.4 Deobfuscated code of GammaLoad malware that establishes connection to t.me and telegra.ph. By leveraging services like Cloudflare DNS, Telegram, and Telegraph, the group underscores their commitment to maintaining secrecy and adaptability. This trend emphasizes the necessity for security professionals to stay vigilant and adopt advanced threat detection techniques that account for such deceptive strategies. Figure.5 Response from telegra.ph with the next-stage operations IP address. 8 EXPLOIT ING COMPROMISED DOCUMENTS AND MALWARE ARSENAL GammaDrop, GammaLoad, GammaSteel LakeFlash. Amid Ukraine's counteroffensive, Gamaredon phishing tactics have escalated to target military and security organizations. Gamaredon phishing campaigns stand out due to their use of legitimate documents stolen from compromised entities. These documents, often disguised as reports or official communications, enhance the credibility of the attack. The recipients, believing these attachments to be genuine, are more likely to interact with the malicious content. To supplement their phishing endeavors, Gamaredon has developed a formidable arsenal of malware. The group's toolkit includes: Among the group's malware, Pterodo is a distinctive component. Often disguised under the filename "7ZSfxMod_x86.exe", Pterodo is a multipurpose tool designed for espionage and data exfiltration. Its versatility in deploying various modules makes it a potent threat, capable of infiltrating and compromising targeted systems with precision. 9 CONCLUSION The surge of Gamaredon attacks amid Ukraine's counteroffensive underlines a heightened threat landscape. While Gamaredon may not be the most technically advanced threat group targeting Ukraine, their tactics exhibit a calculated evolution. The growing frequency of attacks suggests an expansion in their operational capacity and resources. As demonstrated by their utilization of phishing campaigns, malware variants like GammaDrop, GammaLoad, GammaSteel, LakeFlash, and the adaptable Pterodo, Gamaredon APT leverages a multifaceted approach to compromise their targets. The deployment of legitimate documents from compromised organizations as phishing lures, combined with their well-rounded malware arsenal, demonstrates their strategic sophistication. Future plans to restrict the usage of Telegram and Telegraph services, particularly within government entities, are gaining momentum due to their exploitation by threat actors like Gamaredon. To safeguard sensitive information and protect national security interests, regulatory measures are being considered to limit the usage of these services. Although other threat groups may possess more intricate technical capabilities, Gamaredon strategic timing and increased activity levels are indicative of their operational augmentation. The alignment of their activities with critical military events amplifies their potential impact. Organizations must recognize the evolving nature of their threat and bolster their cybersecurity measures and international cooperation in cyber threat intelligence sharing accordingly. The combination of their expanding tactics and the current geopolitical landscape underscores the urgency for robust defenses against Gamaredon's evolving cyber threats. 10 DIAMOND MODEL OF INTRUSION ANALYSIS 11 INDICATORS OF COMPROMISE ValueType URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL URL https://t[.]me/s/mtkozbawtcw https://t[.]me/s/hhrcislkr https://t[.]me/s/renummxhexzlqnp https://t[.]me/s/csszmy https://t[.]me/s/peghyxbkueawkp https://t[.]me/s/dxgosnpiji https://t[.]me/s/wuiagupaxsy https://t[.]me/s/tppalhetp https://t[.]me/s/aazfofoqurl https://t[.]me/s/mftqypmfd https://t[.]me/s/upvrnnkzhu https://t[.]me/s/chanellsac https://t[.]me/s/kmhrgnabgvucwl https://t[.]me/s/jbkkcohpep https://t[.]me/s/vzjjveyspk https://t[.]me/s/exmhjrjeczody https://t[.]me/s/rqmynic https://t[.]me/s/vdxgwlh https://t[.]me/s/pjzfbtboqnvu https://t[.]me/s/idaknpmehzj https://t[.]me/s/xgjhnluflfkgqum https://t[.]me/s/tolnk_1 https://t[.]me/s/scwzrglirhjnyab https://t[.]me/s/uaqqfputly https://t[.]me/s/uwhvzcnsirlzx https://t[.]me/s/loggwwryzxqin https://t[.]me/s/hbcdqoxcxvk https://t[.]me/s/ocqcgvbgja https://t[.]me/s/wxpbntrkwjwqoon https://t[.]me/s/dnyyphpwi https://t[.]me/s/rwmlqlxfttee https://t[.]me/s/dtqlqmnswacn https://t[.]me/s/cctgfzuhcliux https://t[.]me/s/sxvywalm https://telegra[.]ph/jv908druxs-04-24 https://telegra[.]ph/t1795sbzrl-07-04 https://telegra[.]ph/j7bl93kg8t-07-18 https://telegra[.]ph/cgd7z1ts8u-04-07 https://telegra[.]ph/azxcsaqwr-03-28 https://telegra[.]ph/29pynfm4rh-02-20 https://cloudflare-dns[.]com/dns-query?name=demonstration.wadibo.ru https://cloudflare-dns[.]com/dns-query?name=delightful.humorumbi.ru https://cloudflare-dns[.]com/dns-query?name=demonstrate.rashidiso.ru https://cloudflare-dns[.]com/dns-query?name=savetofile26.bakaripi.ru