Updated on 2022-12-22: Gamaredon APT
PAN’s Unit42 has a report out on recent operations of the Trident Ursa APT (aka Gamaredon, Armageddon). These operations have targeted Ukraine almost all year but have also included “an unsuccessful attempt to compromise a large petroleum refining company within a NATO member nation on August 30.” However, the strangest part in the report is a series of threats made on Twitter by a Trident Ursa member against Mikhail Kasimov, a Ukrainian security researcher who has previously published Gamaredon IOCs and living in one of the Ukrainian war zones. Some of these tweets are still up. Read more: Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
run Kasimka, run, i'm coming for you
GAMAREDON— Anton (@Anton15001398) February 24, 2022
Updated on 2022-11-21
Unit 42 revealed that the Russia-based Gamaredon APT group targeted a large petroleum refining company in a NATO country. The attack was, however, unsuccessful. Read more: Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
Updated on 2022-11-09: UAC-0010
Ukraine’s CERT team said it detected a spear-phishing operation carried out by the UAC-0010 (Armageddon/Gamaredon) group that was posing as Ukraine’s SSSCIP agency. Read more: Кібератака групи UAC-0010: розсилання електронних листів, начебто, від імені Держспецзв’язку (CERT-UA#5570)
Overview: Infamous Russian state-sponsored actor launches new campaign in Ukraine
Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint. This campaign aligns with Gamaredon’s past motivations of targeting Ukraine since Russia’s invasion.
