Key Intelligence Signals:
Gamaredon aka Shuckworm Resumes Operation Against Ukrainian Government
Summary:
In a recent development into an offensive cyber operation of nation based advanced persistent threat group, a cyber security researcher observed Russian-sponsored APT, Gamaredon aka Shuckworm targeting Ukrainian government assets to back Russia in the ongoing war against Ukraine. The APT Gamaredon is active since 2014 and only focused on targeting Ukrainian Assets in the interest of the Russian government. The group has conducted various offensive attacks with similar TTPs used in past attacks. In a recent campaign, a spear-phishing email delivered a malicious RAR archive file, which a user opened. This triggered the execution of a malicious PowerShell command that downloaded a payload from the attackers’ server. The threat actor has been using various IP addresses and updating their obfuscation techniques to avoid detection. A VBS script, identified as Pterodo backdoor, was then executed. The targeted machine contained confidential documents related to Ukrainian security services or government departments. It is observed the threat actor added an additional script employing USB propagation. This feature allows the threat actor to reach out to other machines through removable USB devices and infect them with malware. Further observation revealed that the threat actor exploited Telegram as their command-and-control server.
Insights:
The threat actor employed the same TTPs as they have used in previous other campaigns, including the target industry remained similar. However, in the previous operations, the threat actor employed sophisticated spyware called GammaSteel and GammaLoad to carry out their malicious activities.
KillNet, in partnership with REvil and Anonymous Sudan, announced recently that they would attack European banking systems in retaliation for Western sanctions on Russia and as supposed means of deterrence of the West from intervening in the ongoing violent crisis in Sudan.
While the hackers haven’t delivered the general attack on the SWIFT interbank funds transfer system, they have been threatening, it seems these hacktivist auxiliaries carried out a successful distributed denial of service (DDoS) attack against the European Investment Bank (EIB). The institution has confirmed that they are experiencing a cyber-attack, which is affecting the status of their website, however so far, this minor nuisance has been the extent of the attack. It is unlikely that the actors in and of themselves have the capability and sophistication to bring down a well-defended infrastructure, as their demonstrated capability in recent years and months only amounted to nuisance attacks like DDoS and occasional defacements. At the same time, researchers now posit that Anonymous Sudan is a Russian-run front operation, and not the Islamist patriotic hacktivist collective it claims to be. However, in the not impossible event of top Russian state APTs carrying out significant attacks on European and Western banking, it is likely, the hacktivist auxiliaries would take credit to partially shield Moscow from the political fallout.
The government of the UK has recently announced that it would allocate £25 million in aid towards Ukraine’s cybersecurity. The new funding enhances and substantially increases the previous round of cybersecurity support from last year, that was about a fifth of the size of the current package. Prime Minister Rishi Sunak explained, “Russia’s appalling attacks on Ukraine are not limited to their barbaric land invasion, but also involve sickening attempts to attack their cyber infrastructure that provides vital services, from banking to energy supplies, to innocent Ukrainian people. This funding is critical to stopping those onslaughts, hardening Ukraine’s cyber defenses and increasing the country’s ability to detect and disable the malware targeted at them.” The continuous support the UK is showing to Ukraine in its plight is however likely to put British infrastructure, government, and business into the crosshairs of Russian hackers, who swore on social media to retaliate.
CYFIRMA Research team observed a potential data leak related to APP-Sindicato, (www[.]appsindicato[.]org[.]br). APP Sindicato – Union of Public Education Workers of Paraná. The first organization was created by teachers of the public education system in Paraná, on April 26, 1947, the entity has a history full of dreams. The data that has been exposed consists of a diverse array of sensitive and confidential information in SQL format, with a total size of 5 GB.
Source: Underground forums
CYFIRMA Research team observed threat actor selling access to a vulnerable server of a financial institution located in Africa. This can further lead to ransomware attack on compromised organisation.
Source: Underground forums