The Russian-sponsored hacker group known as Gamaredon continues to attack Ukrainian organizations and remains one of the “key cyber threats” for Ukraine’s cyberspace, according to a report the Ukrainian government published Wednesday.
Ukraine claims that Gamaredon operates from the city of Sevastopol in Russia-occupied Crimea, but acts on orders from the FSB Center for Information Security in Moscow. The group began operations in June 2013, just months before Russia forcibly annexed the Crimean Peninsula from Ukraine.
In its recent campaigns against Ukraine, Gamaredon used variants of PowerShell info-stealer malware known as GammaLoad and GammaSteel.
These are custom-made information stealer implants that can exfiltrate files of specific extensions, steal user credentials and take screenshots of the victim’s computer, according to Ukraine’s State Cyber Protection Centre.
According to the report, Gamaredon hackers have evolved throughout the war, improving their tactics and redeveloping used malware variants to stay undetected.
“Not a week goes by that we didn’t detect some new mass phishing email campaign with Gamaredon malware,” a CERT-UA spokesperson said.
In 2022, Ukraine registered more than 70 incidents related to the group, the agency said.
Gamaredon also attacks Ukraine’s allies. In late January, Latvia confirmed a phishing attack on its Ministry of Defense, linking it to the group.
Ukrainian cybersecurity officials described their attacks as intrusive and audacious, and said the group’s main purpose was “to conduct targeted cyberintelligence operations.”