A Russia-based advanced persistent threat group that has been active for almost a decade has stepped up malicious cyberattack activity in Ukraine recently in another example of how geopolitical tensions routinely spill over into the cyber domain these days.
For organizations, the attacks are a reminder of why they need to pay close attention to systems located in the region and take measures to contain damage if they are targeted.
Researchers from Microsoft, Symantec, and Palo Alto Networks’ Unit 42 group last week released separate reports on recent cyber-espionage activity they observed tied to Actinium (aka Gameredon and Shuckworm), a threat actor believed linked to Russia’s Federal Security Service (FSB).
The attacks are part of a broader set of malicious cyber activity targeting Ukrainian entities that several security researchers have observed in recent months amid escalating tensions between Russia and Ukraine. The activity — which many believe is being conducted by Russian operatives — has affected a wide range of government and private organizations in Ukraine. It has included ransomware and other forms of destructive attacks, cyber-enabled espionage activity, disinformation campaigns, and false flag operations.
Nick Biasini, head of outreach at Cisco Talos, says the current malicious cyber activity in Ukraine is not very different from what it has observed in the region previously. But it significant given the current escalating tensions between Russia and Ukraine.
“Since NotPetya happened in 2017, we’ve been recommending additional scrutiny for systems that reside in or are connected to entities residing inside Ukraine,” Biasini says. “This can include isolating them through network architecture and having increased monitoring/hunting activities surrounding these systems as they have been shown to be targeted by advanced actors.”
Microsoft said it had observed Actinium targeting and compromising organizations critical to Ukraine’s emergency response capabilities and national security. Actinium’s attacks started in October 2021 and have also affected organizations involved in humanitarian aid activities in Ukraine. Microsoft’s analysis of Actinium’s latest campaign shows the threat actor is predominantly using spear-phishing emails with malicious attachments that employ a method known as remote template injection in order to load malware on compromised systems. The method involves using one document to load another remote document that contains malicious code and is designed to evade static malware detection tools. The phishing lures that Actinium is using include those that spoof legitimate organizations, such as the World Health Organization, Microsoft said.
Once the threat actor gains access to a network, it deploys a variety of other sophisticated malware tools to carry out its mission. One of them is a tool called Pterodo, which allows Actinium members to gain interactive access to a network so they can carry out hands-on-keyboard attacks. Other tools that Microsoft observed Actinium using in its latest attacks include QuietSieve, a malicious binary for exfiltrating data, and PowerPunch, a malware dropper that executes as a one-line command from within PowerShell.
Meanwhile, according to Palo Alto Network’s Unit 42 group, at least one of Actinium’s recent targets was a Western government entity based in Ukraine. In that Jan. 19, 2022, attack, the threat actor uploaded their malware as a resume in response to an active job positing on a job search site in Ukraine. The weaponized resume was later submitted through the job search platform to the targeted Western government entity, Palo Alto said. The security vendor, which tracks Actinium as Gamaredon, said it had identified 136 domains that the threat actor has used over the past two months in its attacks against organizations in Ukraine; of these, 131 have IP addresses that are hosted in Russia.
Palo Alto Networks discovered 17 initial malware downloaders that Actinium/Gamaredon has used in its Ukrainian campaign over the past three months. Like Microsoft, Palo Alto also described the downloaders as employing a remote template injection technology designed to allow malicious code to be pulled down from a remote location using a benign document.
Symantec, which also released indicators of compromise and TTPs for detecting Actinium activity last week, described the threat actor’s command-and-control infrastructure as being largely hosted in Russia.
“Having systems in this region can introduce increased attention by advanced actors,” Biasini says. “With that knowledge enterprises should protect themselves accordingly.”
Along with the attacks and campaigns by groups such as Actinium, there have also been attempts by some groups to complicate attribution efforts. Cisco Talos said it had recently analyzed new information about recent attacks in Ukraine that appeared to be designed to create multiple false narratives about the attacks in Ukraine and who might be behind them.
In one campaign that the company investigated, the threat actor attempted to make it appear as if actors in Poland and Ukraine were responsible for recent cyberattacks in Ukraine. According to Cisco Talos, the primary motive of these efforts appeared to be to plant doubt about the true sources of the attacks.