Gamaredon Explained

Gamaredon, also known as Primitive Bear, UNC530, ACTINIUM, or Aqua Blizzard^[1] (by Microsoft) is a Russian advanced persistent threat that has been active since at least 2013.

Motivation

Cyber espionage appears to be the main goal of the group,; unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially Ukrainian organizations) and appears to provide services for other APTs.^[2] For example, the InvisiMole threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted.^[3]

Tactics

The group frequently uses spear phishing techniques with malicious code attachments that download remote templates containing malware.

Malware used by the group includes Pterodo, PowerPunch, ObfuMerry, ObfuBerry, DilongTrash, DinoTrain, and DesertDown.

Ukraine

See main article: 2022 Ukraine cyberattacks. On 19 January 2022, they attempted to compromise a Western government entity in Ukraine.^[4]

See also

• Cyberwarfare by Russia
• Russo-Ukrainian cyberwarfare

Notes and References

1. Web site: How Microsoft names threat actors . Microsoft . 21 January 2024.
2. Web site: Gamaredon - When nation states don't pay all the bills. Warren Mercer. Vitor Ventura. Cisco. 23 February 2021. 9 May 2022.
3. Web site: Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers. Charlie Osborne. ZDNet. 21 March 2022. 9 May 2022.
4. Web site: Microsoft discloses new details on Russian hacker group Gamaredon. Kyle Alspach. VentureBeat. 4 February 2022. 9 May 2022.