Ukraine’s top law enforcement and the counterintelligence agency revealed the true identities of five people accused of being engaged in digital attacks ascribed to the Gamaredon cyberespionage organization on Thursday, tying the perpetrators to Russia’s Federal Security Service (FSB).
The Security Service of Ukraine (SSU) described the hacking group as “an FSB special project, which specifically targeted Ukraine,” adding that the offenders “are officers of the ‘Crimean’ FSB and traitors who defected to the enemy during the occupation of the peninsula in 2014.”
Chernykh Mykola Serhiiovych, Sklianko Oleksandr Mykolaiovych, Miroshnychenko Oleksandr Valeriiovych, Starchenko Anton Oleksandrovych, and Sushchenko Oleh Oleksandrovych are the names of the five people the SSU accuses of being involved in the secret operation.
Ever since their inception in 2013, the Russia-linked Gamaredon group has been involved in a number of devious phishing campaigns aimed primarily at Ukrainian institutions, with the aim of extracting sensitive data from vulnerable Windows platforms for geopolitical benefit.
The cybercriminals are suspected of carrying out over 5,000 cyberattacks against public authorities as well as critical infrastructure in the nation, as well as attempting to infect over 1,500 government servers, with the majority of attacks aimed at defense, security, and law enforcement organizations in order to obtain classified intel.
“Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar,” ESET, a Slovak cybersecurity group, identified this in a June 2020 report. “Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to exfiltrate data.”
Gamaredon is renowned to have spent in a variety of tools for bypass the organizations’ defenses that are programmed in a range of languages like VBA Script, VBScript, C#, C++, as well as using PowerShell, CMD, and.NET command shells, in addition to its heavy dependence on social engineering strategies as an intrusion vector.
Pterodo (aka Pteranodon) is a modular remote administration tool featuring keystroke logging, remote access capabilities, access to the microphone, the power to take screenshots and download further modules from a web server. A.NET-based file stealer is also used, which is meant to capture files with the extensions: *.docx, *.doc, *.rtf, *.xls, *.txt, *.odt, *.pdf, and *.jpg.
A third tool is a malicious payload designed to propagate malware via linked removable media while also gathering and siphoning data from those devices.
“The SSU is continuously taking steps to contain and neutralize Russia’s cyber aggression against Ukraine,” the agency said. “Established as a unit of the so-called ‘FSB Office of Russia in the Republic of Crimea and the city of Sevastopol,’ this group of individuals acted as an outpost […] from 2014 purposefully threatening the proper functioning of state bodies and critical infrastructure of Ukraine.”