Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Highly Active ‘Gamaredon’ Group Provides Services to Other APTs

New evidence suggests that the Russia-linked threat actor Gamaredon is a hack-for-hire group that offers its services to other advanced persistent threat (APT) actors, similar to crimeware gangs, according to security researchers with Cisco’s Talos division.

New evidence suggests that the Russia-linked threat actor Gamaredon is a hack-for-hire group that offers its services to other advanced persistent threat (APT) actors, similar to crimeware gangs, according to security researchers with Cisco’s Talos division.

Also referred to as Primitive Bear and active since at least 2013, the threat actor has been long associated with pro-Russia activities, showing a focus on Ukrainian targets. However, the group targets victims worldwide for espionage purposes and is not as stealthy as other major APT actors.

Despite being exposed several times in the past, the group has continued operations unhindered, gathering information on intended targets and sharing the data with other units, likely more advanced threat actors. In addition to offering services to these APTs, however, the gang is conducting its own, separate activity as well.

The tactics, techniques and procedures (TTPs) employed by Gamaredon, Talos says, are commonly observed in the crimeware world, and include the use of trojanized installers, self-extracting archives, spam emails with malicious payloads, template injection, and the like.

Furthermore, the group operates an infrastructure of more than 600 active domains that are used as command and control (C&C) for the first stage, which deploys the second stage payloads and updates both stages when needed.

“APT groups are often associated with focused, high-impact activities with extremely small footprints leading to an extremely stealthy activity that’s hard to detect. However, Gamaredon is the opposite of that — though it’s still considered an APT actor,” Talos explains.

One of the most active and undeterred actors, Gamaredon doesn’t show the same fluency and techniques that more advanced operations employ, but there’s also no indicator that the group profits off the information stolen from victims.

According to Cisco’s researchers, the group’s modus operandi resembles that of second-tier APTs that pass critical information to top-tier units, operating as a service provider for more advanced APTs. However, it also engages in side jobs and takes special care to avoid certain IP addresses — in one campaign Cisco observed roughly 1,700 IP addresses from 43 different countries.

Advertisement. Scroll to continue reading.

Despite the lack of high level technical expertise, the threat actor clearly has capability (given the size of its infrastructure), shows dedicated development effort to add new capabilities and features, and continues to be active to date, with the latest activity observed in February 2021.

Gamaredon might not necessarily be a state-sponsored actor, but instead working for whoever pays the most. However, the group could still be considered an APT — given its specific interest in Ukraine and lack of attempts to monetize stolen data — but has a diverse level of targeting and an almost crimeware-like approach.

“This group has targeted a major bank in Africa, U.S. educational facilities, European telecommunications and hosting providers. The seemingly specific victimology of Gamaredon is thrown into doubt, as we have uncovered a myriad of different vertices, not limited to the above mentioned, and seemingly with a widespread approach that goes beyond only Ukraine,” Talos notes.

Thus, the researchers consider Gamaredon a second-tier APT, which provides breach services to tier-one actors, in a manner similar to what happens in the cybercrime scene. Furthermore, the group lacks the sophistication of others and often has bad OPSEC or makes amateurish mistakes that result in their operations being exposed.

“We believe that challenging the status quo on Gamaredon and others that could fit the previous definition, is beneficial as a whole. It will help organizations better understand the threats that they must focus their resources on. The fact remains Gamaredon remains a notoriously prolific group operating without any constraints on a globally impacting level,” Talos concludes.

Related: Russian ‘Gamaredon’ Hackers Back at Targeting Ukraine Officials

Related: “Gamaredon” Group Uses Custom Malware in Ukraine Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.