Cybersecurity researchers on Monday discussed they uncovered evidence of attempted attacks thru a Russia-linked hacking operation targeting a Ukrainian entity in July 2021.
Broadcom-owned Symantec, in a brand spanking new document revealed Monday, attributed the attacks to an actor tracked as Gamaredon (aka Shuckworm or Armageddon), a cyber-espionage collective recognized to be vigorous since at least 2013.
In November 2021, Ukrainian intelligence companies branded the group as a “explicit challenge” of Russia’s Federal Protection Supplier (FSB), together with pointing fingers at it for dressed in out over 5,000 cyberattacks against public executive and demanding infrastructure situated throughout the country.
Gamaredon attacks most often originate with phishing emails that trick the recipients into putting in place a custom designed a long way flung get admission to trojan known as Pterodo. Symantec disclosed that, between July 14, 2021 and August 18, 2021, the actor installed a lot of variants of the backdoor along with deployed additional scripts and gear.
“The attack chain began with a malicious file, most certainly sent by means of a phishing email, which was once as soon as opened thru the individual of the infected machine,” the researchers discussed. The identification of the affected staff was once as soon as now not disclosed.
In opposition to the end of July, the adversary leveraged the implant to acquire and run an executable file that acted as a dropper for a VNC client previous to putting in connections with a a long way flung command-and-control server beneath their control.
“This VNC client appears to be the ultimate payload for this attack,” the researchers well-known, together with the arrange was once as soon as followed thru gaining access to a lot of bureaucracy ranging from procedure descriptions to subtle company wisdom on the compromised machine.
Ukraine Calls Out False Flag Operation in Wiper Attacks
The findings come amidst a wave of disruptive and destructive attacks levied against Ukrainian entities thru alleged Russian state-sponsored actors, resulting throughout the deployment of a file wiper dubbed WhisperGate, around the equivalent time a few internet websites belonging to the government have been defaced.
Subsequent investigation into the malware has since revealed that the code used throughout the wiper was once as soon as re-purposed from a faux ransomware advertising and marketing marketing campaign known as WhiteBlackCrypt that was once as soon as aimed at Russian victims in March 2021.
Interestingly, the ransomware is known to include a trident symbol — that is part of Ukraine’s coat of hands — throughout the ransom follow it displays to its victims, primary Ukraine to suspect that this will once in a while have been a false flag operation deliberately intended to blame a “fake” pro-Ukrainian crew for staging an attack on their own govt.