Analysis of toolset used to spy on Ukraine in 2022 and 2023

ESET Research has conducted an in-depth technical analysis of the cyberespionage toolset employed by the Russia-aligned hacking group known as Gamaredon, which has been particularly active in Ukraine since the onset of the conflict in 2014 and has intensified its operations following Russia’s full-scale invasion in February 2022. This study reveals the group’s consistent activity and sophisticated evasion tactics amidst the backdrop of an ongoing multifaceted war characterized by escalating disinformation and cyber warfare.

Gamaredon has been attributed to the 18th Center of Information Security of the FSB and operates mainly out of occupied Crimea. With its operations traced back to at least 2013, the group focuses predominantly on Ukrainian governmental institutions. ESET’s telemetry indicates that, despite a rise in attacks on NATO countries, including Bulgaria, Latvia, Lithuania, and Poland, there have been no successful breaches into these regions.

The analysis produced by ESET Research presents a probing look into Gamaredon’s approach to compromise new victims, primarily through spearphishing campaigns. The group utilizes a combination of custom malware to exploit Word documents and USB drives, showing a notable lack of stealth compared to other advanced persistent threat actors. They are characterized by a “noisy” operational style, frequently risking detection but compensating for this through the use of various downloaders and backdoors aimed at maintaining access to compromised systems.

Changing tactics have been observed within Gamaredon’s operations, particularly a shift in 2022 towards the use of VBScript and PowerShell for cyberespionage, moving away from their previous reliance on self-extracting archives. In 2023, Gamaredon notably developed new tools designed for data theft through various applications, including military systems and governmental webmail services.

ESET’s categorization of Gamaredon’s toolset encompasses various functionalities—downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools—demonstrating a diverse set of capabilities. The group employs a robust infrastructure for command and control operations, implementing fast flux DNS techniques to frequently alter its IP addresses and evade detection. Their resourcefulness extends to leveraging third-party services like Telegram and Cloudflare, enhancing their ability to remain undetected while executing their attacks.

The researchers identified PteroBleed, an infostealer aimed at securing sensitive military and governmental information, as a highlight of the tools released by Gamaredon in the recent timeframe. The methodology and timeline of tool development are elaborated, showcasing the group’s commitment to evolving its capabilities over time.

Despite the simplicity of its tools, Gamaredon’s aggressive tactics and persistent operations position the group as a significant threat in the geopolitical landscape of cyber warfare, especially given the ongoing conflict in Ukraine. The expert analysis provides a comprehensive understanding of Gamaredon’s techniques and potential risks, contributing to a broader conversation about cybersecurity in conflict zones.

ESET Research’s detailed findings underscore the complexity of the cyber threats facing Ukraine and emphasize the importance of ongoing vigilance against advanced persistent threats. For a more thorough examination of Gamaredon’s cyber activities and their operational framework, ESET offers further resources, including technical breakdowns and indicators of compromise on their platforms.