Five members of the Gamaredon hacking group were recently recognised by the Ukrainian Secret Service and the Security Services of Ukraine (SSU). Gamaredon hacking group is a Russian state-sponsored operation that has been best known for attacking Ukraine since 2014.
The SSU tracked the Gamaredon hacking group as Armageddon. There are claims that the hacking group is being operated by the Russian Federal Security Service (FSB), believed to be behind more than 5,000 attacks against Ukraine.
According to Ukraine, the hacking group have targeted more than 1,500 Ukrainian government and public and private entities for the last seven years.
Gamaredon aims at Ukraine to gather intelligence, take over their critical infrastructures, and disrupt operations. The SSU has identified the five individuals involved in the attacks with clear participation proofs collected from communication interventions.
The SSU investigators hid their digital footprints in identifying the hackers by using custom malware and anonymisation tools. They also released the names of the five individuals who are Sushchenko Oleh Oleksandrovych, Sklianko Oleksandr Mykolaiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriovych, and Chernykh Mykola Serhiovych. Furthermore, these people operate under the 18th Center of Information Security of the FSB’s guidance in Moscow. They are also identified as officers of the Crimean FSB who supported Russia during the 2014 peninsula occupation.
The Ukrainian law has also charged them with espionage, treason, distribution and use of malware, and unauthorised inference in the work of electronic computers. Nonetheless, the five individuals have yet to be arrested by the authorities. The SSU still sees the revelation as an effective measure to neutralise the issues.
The SSU has also laid down many key points on Gamaredon’s technical activity report regarding their toolset and tactics. The report discovered that the hacking group had used Outlook macros and deployed the EvilGnome backdoor to compromise victims’ systems. The report also includes other vulnerabilities, such as the WinRAR CVE-2018-20250 vulnerability and the MS Office remote code execution flaw CVE-2017-0199.
Gamaredon also uses removable media in injecting malware on offline systems and will be moved to isolated networks. The report said that the hacking group has been using this tactic since 2014.
A malware tool named “Pteranodon” is also included in the report. It is a novel modular remote administration tool (RAT) with information-collecting and anti-analysis features.
Security analysts will attribute the past attacks from the published technical details about the Gamaredon hacking group. The takeaways from the report can also briefly lessen the operational effectiveness of Russian state threat actors.
