Hacker group attacks Ukraine and NATO countries

ESET has carried out an analysis of the activities of the Russian hacker group Gamaredon, which currently poses the greatest threat to Ukraine in cyberspace. In the course of the research, it was also discovered that NATO countries such as Bulgaria, Latvia, Lithuania and Poland have been attacked – albeit unsuccessfully.

According to the ESET experts, Garmaredon also works with the APT group InvisiMole, which is mainly known for targeted attacks on high-ranking organizations in Eastern Europe.

Gamaredon has been active since 2013 and is assigned to the Russian secret service FSB by the Ukrainian security service. The hackers carry out targeted cyberattacks mainly against Ukrainian government institutions. In 2023, the group significantly improved its capabilities and developed new tools for data espionage. These tools focus on stealing sensitive information from email programs, messaging apps such as Signal and Telegram and web browsers.

Procedure from Gamaredon

The Gamaredon hacker group uses two main methods to trick its victims and penetrate their systems:

• Spear phishing campaigns: Gamaredon conducts targeted phishing attacks in which they send tailored emails to selected individuals or organizations. These emails often contain deceptively genuine-looking information designed to gain the recipient’s trust. The aim is to get the recipient to click on a malicious link or open an infected attachment.
• Infected documents and USB drives: After first accessing a system, Gamaredon uses custom malware to “weaponize” Word documents and USB drives. These infected files and devices are then often unknowingly passed on to other potential targets by the original victims. This allows the infection to spread throughout networks and organizations.

These tactics are particularly effective as they rely on human vulnerabilities such as trust and routine. Victims are often deceived into believing they are opening legitimate documents or using secure USB drives. The group specifically exploits the knowledge of its victims to make the attacks as convincing as possible.

Also active against NATO countries with new tools

Of particular concern is the discovery of the “PteroBleed” malware, which specifically targets Ukrainian military systems and the webmail service of a Ukrainian government agency. ESET researchers have also observed isolated attempts to attack targets in NATO countries such as Bulgaria, Latvia, Lithuania and Poland, although no successful intrusions have been detected to date.

Unlike many other hacker groups, Gamaredon operates in a conspicuous and ruthless manner. The group frequently updates and disguises its tools, quickly switches between server addresses and domains, and simultaneously deploys several simple malicious programs to maintain access. Despite the relative simplicity of their individual tools, this aggressive approach makes Gamaredon a significant threat.

Hooks with open visor

ESET researcher Zoltán Rusnák explains: “Gamaredon does not even try to remain undetected. The lack of sophistication of Gamaredon’s tools is compensated by frequent updates and changing obfuscation techniques to evade security measures. The group uses multiple simple downloaders or backdoors simultaneously to secure access to compromised systems.”

Given the ongoing conflict in the region, ESET expects Gamaredon to maintain its focus on Ukraine. To protect against such cyberattacks, experts recommend regularly updating operating systems and security software, exercising caution when opening email attachments and links, and using strong, unique passwords and two-factor authentication.

(pd/ESET)