Warning about Russian threat actor Gamaredon
Warning about Russian threat actor Gamaredon

News -

Warning about Russian threat actor Gamaredon: How to stay protected ahead of invasion anniversary cyber threat

  • Ukrainian authorities have issued a warning that Russia could conduct large-scale cyberattacks on the anniversary of the invasion
  • Logpoint has conducted research into the hacktivist group Gamaredon, which according to Ukrainian CERT, is actively renewing attack efforts shifting focus from destruction to espionage and information stealing

COPENHAGEN, Denmark & BOSTON, February 23, 2023 – Russian cyberattacks against Ukraine have nearly tripled during the last year, and now the Ukrainian Defense Minister, Oleksii Reznikov, expresses concern that Russia will renew its offensive to coincide with the anniversary of the all-out war. Ukraine's National Security and Defense Council has issued a warning that Russia could conduct a large-scale cyberattack as part of its renewed aggression.

Ukranian CERT has released reports stating that the Russian threat actor Gamaredon, also known as UAC-0010, Primitive Bear, BlueAlpha, ACTINIUM, and Trident Ursa, is actively renewing its attack efforts. Reportedly, the group operates from Sevastopol in Crimea and follows instructions from the FSB Center for Information Security in Moscow.

“Gamaredon has carried out several cyberattacks against Ukraine since it originated in June 2013, a few months before Russia forcibly annexed the Crimean Peninsula. We’ve recently seen significant spikes in their activities and the group remains the most active, intrusive, and pervasive APT,” says Doron Davidson, Logpoint VP Global Services. “We’re monitoring the situation closely to keep up with threat intelligence and defense techniques that can mitigate the risk of Gamaredon.”

Ukraine’s State Service of Special Communication and Information Protection states that Gamaredon focuses more on information stealing and espionage than destruction and increasingly uses GammaLoad and GammaSteal spyware. These malware variants are custom-made information-stealing implants that can exfiltrate files of specific extensions, steal user credentials, and take screenshots of the victim’s computer.

Logpoint’s investigation into GammaLoad and GammaSteal shows that the malware variants get delivered via spear-phishing emails from compromised government employees, including malicious HTML files, Office documents, and phishing websites to target devices. The malware is designed to attack all Windows, Linux, and Android operating systems.

“It’s always crucial to detect an attack before it takes root in the systems,” says Doron Davidson. “With Gamaredon and other APTs, it’s not enough to follow best practices. You need to have capabilities to efficiently detect threats based on known indicators of compromise, using active monitoring and incident response plans.”

Read Logpoint’s report about Gamaredon hereand get an in-depth analysis of the threat actor’s techniques, indicators of compromise, and insights about incident investigation and response.

Related links

Topics

Categories

Contacts

Maimouna Corr Fonsbøl

Maimouna Corr Fonsbøl

Press contact Head of PR PR & Communications +45 25 66 82 98

Related content

Royal ransomware investigation: How to brace for the sharp increase

Royal ransomware investigation: How to brace for the sharp increase

Logpoint research reveals what organizations should monitor for to safeguard against the rapid increase in royal ransomware attacks. The Royal ransomware group has leaked data of more than 60 victims since November 2022.

The resurgence of a crippling malware: How to threat hunt Emotet

The resurgence of a crippling malware: How to threat hunt Emotet

Logpoint research reveals that Emotet has developed into a Loader-as-a-Service - a dropper of other malware. Logpoint recommends looking out for its common TTPs, IoCs, and malicious macros to detect Emotet.

Hunting BlackCat: A ransomware family on the rise

Hunting BlackCat: A ransomware family on the rise

Logpoint research reveals that BlackCat has the fourth-highest number of victims in the last six months. BlackCat uses its public leak site to intimidate victims, where anyone can easily search and access the leaked victim information.

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks

Cyber attackers hiding behind legal threats: A deep-dive into the IcedID gateway to sophisticated cyberattacks

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks. IcedID leverage legitimate infrastructure like contact forms and email to deliver fake legal threats or spoofed invoices.

Akira: A new ransomware gang wreaks havoc

Akira: A new ransomware gang wreaks havoc

Emerging in March this year, Akira quickly joined the most active ransomware groups as number four. Logpoint has analyzed the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise IoCs enabling protection.

Logpoint has collated a report highlighting the TTPs and IoCs applied by Cactus to create alert rules to detect methods the group uses

Cactus: Defending against a ransomware newcomer

Cactus emerged in March this year and has since built an extensive portfolio of high-profile victims. Logpoint has analyzed Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) to establish defenses.
COPENHAGEN, Denmark, November 27, 2023 – Cactus has emerged as a sophisticated ransomware group with a severe impact on its victims. The newcomer first appeared in March

The infamous state-sponsored Advanced Persistent Threat (APT) linked to Russia remains active, posing a severe threat to organizations

Cozy Bear: Unmasking the decades-long espionage arsenal

The infamous state-sponsored Advanced Persistent Threat (APT) linked to Russia remains active, posing a severe threat to organizations. Logpoint has analyzed the Tactics, Techniques, and Procedures (TTPs), helping organizations detect the threat actor.

About Logpoint

Headquartered in Copenhagen, Denmark, with offices across Europe, the USA, and Asia, Logpoint is a multinational, multicultural, inclusive cybersecurity company. LogPoint bolsters organizations in the fight against evolving threats by giving them a single source of truth — an intuitively designed platform with the powerful capabilities needed to ensure their safety. Powered by machine learning and backed by an industry-leading support team, Logpoint’s cybersecurity operations platform accelerates detection and response, allowing organizations to respond to tomorrow’s threats.

Logpoint’s core belief lies in creating software that empowers security teams to make confident decisions, feel justified in their choices, and more efficiently protect their organizations. That principle has earned them the trust of more than 1,000 organizations worldwide, as well as a place in Gartner’s Magic Quadrant.

The company’s culture prioritizes passion, innovation, team spirit, and client satisfaction. Together, these values fuel Logpoint’s success across cybersecurity technologies: from SIEM, UEBA, and SOAR to SAP security, converged into an integrated security operations platform, created to protect the digital heart of organizations.

Logpoint
Bryggervangen 55
2100 Copenhagen
Denmark
Our website
Visit our other newsrooms