When time is money.
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of the actions of the Gamaredon hacker group, which is capable of stealing data from systems within an hour of penetration.
The Gamaredon Group (also known as Armageddon, UAC-0010, Shuckworm, Actinium, Iron Tilden, Primitive Bear, Trident Ursa) has repeatedly carried out targeted cyberattacks on government authorities and critical IT infrastructure in Ukraine.
Gamaredon attacks usually start with a message on Telegram, WhatsApp, and Signal. Hackers trick the victim into opening malicious attachments masquerading as Microsoft Word or Excel documents. The execution of attachments leads to the download and execution of malicious PowerShell scripts and the 'GammaSteel' malware on the victim's device.
Hackers also modify Microsoft Word templates on infected computers so that all documents created on them contain a malicious macro capable of spreading the Gamaredon malware to other systems. Additionally, the PowerShell script captures session data from browser cookies, allowing hackers to control the victim's accounts protected by two-factor authentication (2FA).
Regarding the functionality of 'GammaSteel', CERT-UA indicates that the malware targets files with specific extensions (.doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, .mdb). The attacker exports the documents of interest within 30-50 minutes.
Another feature of the Gamaredon attacks is that a compromised computer can be infected within a week. And in that week, hackers can place up to 120 malicious files on the breached system, increasing the likelihood of reinfection. In other words, if there is at least one infected file or document left after the system cleanup process, it will infect the rest of the files again.
In addition, Gamaredon automatically infects all connected USB devices, spreading to isolated networks. Also, cybercriminals regularly, from 3 to 6 times a day, change the IP addresses of intermediate C2 servers, which makes it difficult to block activity or track hackers' actions.
CERT-UA reports that the most effective way to limit the impact of Gamaredon attacks is to block or restrict the unauthorized execution of programs «mshta.exe", «wscript.exe", «cscript.exe" and «powershell.exe".
The agency notes that Gamaredon's attacks are more aimed at espionage and information theft than sabotage. The center also highlighted the "persistent" evolution of the hackers' tactics, which update their malware kit to stay out of sight, calling Gamaredon a "key cyber threat."
Earlier, Palo Alto Networks researchers reported that in August 2022, the Gamaredon group carried out an unsuccessful attack on a large oil refining company in one of the NATO member countries.
---------
According to the SBU, FSB hackers received prison sentences in absentia
Thanks to the evidence base of the Security Service and the State Bureau of Investigation, two members of the FSB hacker group called "Armageddon" were sentenced to prison in absentia.
According to the case file, the attackers committed more than 5 thousand cyberattacks on government agencies and critical infrastructure facilities of Ukraine.
The largest number of them accounted for the electronic systems of the Ministry of Foreign Affairs and the Ministry of Economic Development of our state.
As the investigation established, the purpose of the hacker attacks was to gain access to the electronic document management system and servers with secret data of government agencies of our state.
According to the investigation, the key organizers of subversive activities are two former employees of the SBU department in the Autonomous Republic of Crimea, who betrayed their oath in 2014.
Then they voluntarily joined the "branch" of the FSB in the temporarily occupied peninsula.
According to the materials of Ukrainian law enforcement officers, the court sentenced both traitors to 15 years in prison.
They were found guilty under two articles of the Criminal Code of Ukraine:
1 of Article 111 (high treason);
2 of Article 361 (unauthorized interference in the operation of electronic computers (computers) and automated systems).
The trial took place in special proceedings in absentia (in the absence of the accused).
The term of serving the sentence will be calculated from the date of the actual detention of the convicts.
The special pre-trial investigation was conducted under the procedural guidance of the Prosecutor General's Office.
Source
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of the actions of the Gamaredon hacker group, which is capable of stealing data from systems within an hour of penetration.
The Gamaredon Group (also known as Armageddon, UAC-0010, Shuckworm, Actinium, Iron Tilden, Primitive Bear, Trident Ursa) has repeatedly carried out targeted cyberattacks on government authorities and critical IT infrastructure in Ukraine.
Gamaredon attacks usually start with a message on Telegram, WhatsApp, and Signal. Hackers trick the victim into opening malicious attachments masquerading as Microsoft Word or Excel documents. The execution of attachments leads to the download and execution of malicious PowerShell scripts and the 'GammaSteel' malware on the victim's device.
Hackers also modify Microsoft Word templates on infected computers so that all documents created on them contain a malicious macro capable of spreading the Gamaredon malware to other systems. Additionally, the PowerShell script captures session data from browser cookies, allowing hackers to control the victim's accounts protected by two-factor authentication (2FA).
Regarding the functionality of 'GammaSteel', CERT-UA indicates that the malware targets files with specific extensions (.doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, .mdb). The attacker exports the documents of interest within 30-50 minutes.
Another feature of the Gamaredon attacks is that a compromised computer can be infected within a week. And in that week, hackers can place up to 120 malicious files on the breached system, increasing the likelihood of reinfection. In other words, if there is at least one infected file or document left after the system cleanup process, it will infect the rest of the files again.
In addition, Gamaredon automatically infects all connected USB devices, spreading to isolated networks. Also, cybercriminals regularly, from 3 to 6 times a day, change the IP addresses of intermediate C2 servers, which makes it difficult to block activity or track hackers' actions.
CERT-UA reports that the most effective way to limit the impact of Gamaredon attacks is to block or restrict the unauthorized execution of programs «mshta.exe", «wscript.exe", «cscript.exe" and «powershell.exe".
The agency notes that Gamaredon's attacks are more aimed at espionage and information theft than sabotage. The center also highlighted the "persistent" evolution of the hackers' tactics, which update their malware kit to stay out of sight, calling Gamaredon a "key cyber threat."
Earlier, Palo Alto Networks researchers reported that in August 2022, the Gamaredon group carried out an unsuccessful attack on a large oil refining company in one of the NATO member countries.
---------
According to the SBU, FSB hackers received prison sentences in absentia
Thanks to the evidence base of the Security Service and the State Bureau of Investigation, two members of the FSB hacker group called "Armageddon" were sentenced to prison in absentia.
According to the case file, the attackers committed more than 5 thousand cyberattacks on government agencies and critical infrastructure facilities of Ukraine.
The largest number of them accounted for the electronic systems of the Ministry of Foreign Affairs and the Ministry of Economic Development of our state.
As the investigation established, the purpose of the hacker attacks was to gain access to the electronic document management system and servers with secret data of government agencies of our state.
According to the investigation, the key organizers of subversive activities are two former employees of the SBU department in the Autonomous Republic of Crimea, who betrayed their oath in 2014.
Then they voluntarily joined the "branch" of the FSB in the temporarily occupied peninsula.
According to the materials of Ukrainian law enforcement officers, the court sentenced both traitors to 15 years in prison.
They were found guilty under two articles of the Criminal Code of Ukraine:
1 of Article 111 (high treason);
2 of Article 361 (unauthorized interference in the operation of electronic computers (computers) and automated systems).
The trial took place in special proceedings in absentia (in the absence of the accused).
The term of serving the sentence will be calculated from the date of the actual detention of the convicts.
The special pre-trial investigation was conducted under the procedural guidance of the Prosecutor General's Office.
Source
