Read Time:1 Minute, 58 Second
Russian state hackers continue to infiltrate Ukraine’s state by deploying information-stealing malware. It is suspected to be an ongoing espionage operation.
The group of hackers was identified as Gamaredon, a Russia-linked cyber threat actor operating since 2013. Gamaredon, also known as Actinium, Armageddon, Primitive Bear, Shuckworm, and Trident Ursa, targets both public and private entities in Ukraine. The group has been a long-time actor in several pro-Russian activities, as Warren Mercer and Vitor Ventura revealed.
Asheer Malhotra and Guilherme Venere, Cisco Talos researchers, had their notable remark on their infamous hacking method. “The adversary is using phishing emails containing lures disguised as related to the Russian invasion of Ukraine,” said Malhotra and Venere.
The operation begins by attracting its victims with a document that provides information about the Russo-Ukrainian War. Once activated, the virus will start its early attacks before running the PowerShell script, which will collect and steal the target’s data and upload it to a remote server.
Malhotra and Venere added that the said malware serves two purposes: it may exfiltrate certain file types and use compromised endpoints to install the other binary and script-based payloads.
The malware’s primary purpose is to siphon data from its target entity, and passwords and other relevant personal information are no exception. This includes all the data saved and accessed by web browsers.
The Ukrainian government, military, and law enforcement employees are typically their targets. Since the attacks started on July 15, 2022, they were first noticed in late August 2022.
Meanwhile, a special report released by Microsoft revealed that state-backed Russian hackers have engaged in “strategic espionage”. This espionage is against 128 targets spanning governments, think tanks, businesses, and aid organisations in 42 countries supporting Kyiv since the start of the war, amid ongoing hacking attempts designed to infect Ukrainian organisations with malware.
Cisco Talos conducts heightened research on techniques for determining whether this malware has attacked your machine. One is to see if a persistently formed register key called “Windows Task” exists under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; the other is by checking if no created mutex with the name Global\flashupdate_r is done in the system.
Organisations must be aware of the threat actors most likely to target them. Knowing them can only strategically prevent worse outcomes rather than rebuild what has been lost.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
