Gamaredon, a Russia-backed threat group renowned for distributing malware via phishing emails, recently appears to have utilised an infected portable drive to target a Ukrainian-based military mission of an undisclosed Western country.
The malware was an updated version of GammaSteel, a data-stealing tool, according to Symantec researchers who analyzed the recent attacks. The report stated that the campaign was active in February and March.
However, the researchers did not describe the detachable drive. Following the infection, Gamaredon employed novel strategies to disguise its activities from both researchers and sufferers. Symantec says GammaSteel was deployed using a complicated, multi-stage attack chain.
Gamaredon, also known as Shuckworm and BlueAlpha, has been active since at least 2013 and is thought to operate from the Russian-annexed Crimean Peninsula under the supervision of Russia's Federal Security Service (FSB). Since the start of the Russian invasion, the organisation has repeatedly targeted Ukraine. In 2023 alone, the country identified 277 cyber incidents linked to the group.
While Gamaredon is primarily responsible for cyberespionage activities targeting Ukrainian security and defence services, it has also been tied to at least one catastrophic cyberattack on an unidentified information infrastructure institution. Symantec did not reveal the targeted organisation, the extent of the GammaSteel campaign, or the nature of data the hackers attempted to steal.
Gamaredon, which has historically been regarded as less proficient than other Russian threat actors, seems to have become more sophisticated in the most recent episode. The gang appears to be constantly altering its code, leveraging reliable online services, and adding obfuscation layers.
Earlier in March, cybersecurity researchers at Cisco Talos warned that Gamaredon was conducting an ongoing operation to install a surveillance tool on Ukrainian computers. As part of this attack, Gamaredon infected users with phishing emails carrying harmful files relating to Ukrainian troop movements.
According to Recorded Future's Insikt Group, the group was observed in December employing Cloudflare Tunnels — a service that helps mask the true location of servers or infrastructure — to infect targets with proprietary GammaDrop malware while remaining undetected.
Earlier last year, two FSB-affiliated hackers were convicted in absentia to 15 years in prison in Ukraine for cyberattacks on governmental institutions. The pair is reportedly linked to Gamaredon.