Gamaredon, a hacking group with a fixation on Ukraine, deploys new email compromise tools

Written by

A Russian-speaking espionage group has been using new email hacking tools in a multi-month campaign intended to infiltrate unidentified government organizations, according to new research.

The group, known as Gamaredon, has spent the last six months inundating the organizations with spearphishing emails and not bothering to cover their tracks, the Slovak anti-virus company ESET said Thursday.

The researchers declined to name the government targeted. But historically, Gamaredon is one of multiple Russia-linked groups that has spied on Ukrainian government and corporate officials. And they are one of the more conspicuous ones.

“They make no effort to stay under the radar,” Jean-Ian Boutin, ESET’s head of threat research, told CyberScoop. “One hypothesis is that they are doing that to create a state of constant dread in their targets.”

One of the hacking tools uses a victim’s Microsoft Outlook account to send spearphishing messages to people in their contact address book. Another tool injects malicious code into Microsoft Office documents. The researchers don’t know if the attacks have been successful. They do know that the hackers are trying to smuggle government documents to servers they control.

The Ukrainian government’s Computer Emergency Response Team, which tracks Gamaredon and other hacking groups, did not respond to a request for comment on the research.

They keep it simple

It is the latest activity from a hacking group that has overwhelmingly focused on targets in Ukraine. Gamaredon first surfaced around the time of the 2014 Ukrainian revolution, when protesters ousted pro-Russian president Viktor Yanukovych. In the years since, researchers have repeatedly outed Gamaredon operations against Ukrainian organizations. The SBU, Ukraine’s main security service, has previously accused Gamaredon-linked hackers of operating on behalf of Russia’s FSB intelligence agency.

Simplicity, rather than stealth, is the name of the game for Gamaredon.

“The tools used by Gamaredon are very simple and are designed to gather sensitive information from compromised systems and to spread further,” the ESET researchers wrote in a blog.

The group is relentless and chooses its phishing targets carefully, said Vlad Radetskiy, an analyst at Kyiv-based security company OptiData who has tracked Gamaredon for clients. But some of the malicious documents they deliver to targets have contained coding errors that make them less potent spying tools than they could be, he said.

“I think different people are designing the phishing lures than those who are making the weaponized documents,” Radetskiy told CyberScoop.

The Trump administration has tried to boost Ukrainian organizations’ defenses against a barrage of Russian hacking. The State Department in March announced $8 million in cybersecurity aid to Ukraine, adding to $10 million already committed. On Thursday, the Pentagon said that an unspecified amount of $250 million in U.S. military assistance would go to helping Ukraine “counter Russian cyber offensive operations and misinformation.”