Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Highly Active ‘Gamaredon’ Group Provides Services to Other APTs

New evidence suggests that the Russia-linked threat actor Gamaredon is a hack-for-hire group that offers its services to other advanced persistent threat (APT) actors, similar to crimeware gangs, according to security researchers with Cisco’s Talos division.

New evidence suggests that the Russia-linked threat actor Gamaredon is a hack-for-hire group that offers its services to other advanced persistent threat (APT) actors, similar to crimeware gangs, according to security researchers with Cisco’s Talos division.

Also referred to as Primitive Bear and active since at least 2013, the threat actor has been long associated with pro-Russia activities, showing a focus on Ukrainian targets. However, the group targets victims worldwide for espionage purposes and is not as stealthy as other major APT actors.

Despite being exposed several times in the past, the group has continued operations unhindered, gathering information on intended targets and sharing the data with other units, likely more advanced threat actors. In addition to offering services to these APTs, however, the gang is conducting its own, separate activity as well.

The tactics, techniques and procedures (TTPs) employed by Gamaredon, Talos says, are commonly observed in the crimeware world, and include the use of trojanized installers, self-extracting archives, spam emails with malicious payloads, template injection, and the like.

Furthermore, the group operates an infrastructure of more than 600 active domains that are used as command and control (C&C) for the first stage, which deploys the second stage payloads and updates both stages when needed.

“APT groups are often associated with focused, high-impact activities with extremely small footprints leading to an extremely stealthy activity that’s hard to detect. However, Gamaredon is the opposite of that — though it’s still considered an APT actor,” Talos explains.

One of the most active and undeterred actors, Gamaredon doesn’t show the same fluency and techniques that more advanced operations employ, but there’s also no indicator that the group profits off the information stolen from victims.

According to Cisco’s researchers, the group’s modus operandi resembles that of second-tier APTs that pass critical information to top-tier units, operating as a service provider for more advanced APTs. However, it also engages in side jobs and takes special care to avoid certain IP addresses — in one campaign Cisco observed roughly 1,700 IP addresses from 43 different countries.

Despite the lack of high level technical expertise, the threat actor clearly has capability (given the size of its infrastructure), shows dedicated development effort to add new capabilities and features, and continues to be active to date, with the latest activity observed in February 2021.

Gamaredon might not necessarily be a state-sponsored actor, but instead working for whoever pays the most. However, the group could still be considered an APT — given its specific interest in Ukraine and lack of attempts to monetize stolen data — but has a diverse level of targeting and an almost crimeware-like approach.

“This group has targeted a major bank in Africa, U.S. educational facilities, European telecommunications and hosting providers. The seemingly specific victimology of Gamaredon is thrown into doubt, as we have uncovered a myriad of different vertices, not limited to the above mentioned, and seemingly with a widespread approach that goes beyond only Ukraine,” Talos notes.

Thus, the researchers consider Gamaredon a second-tier APT, which provides breach services to tier-one actors, in a manner similar to what happens in the cybercrime scene. Furthermore, the group lacks the sophistication of others and often has bad OPSEC or makes amateurish mistakes that result in their operations being exposed.

“We believe that challenging the status quo on Gamaredon and others that could fit the previous definition, is beneficial as a whole. It will help organizations better understand the threats that they must focus their resources on. The fact remains Gamaredon remains a notoriously prolific group operating without any constraints on a globally impacting level,” Talos concludes.

Related: Russian ‘Gamaredon’ Hackers Back at Targeting Ukraine Officials

Related: “Gamaredon” Group Uses Custom Malware in Ukraine Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...