ETDA ThaiCERT
Report
Search
Home > List all groups > Gamaredon Group

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Gamaredon Group

NamesGamaredon Group (Palo Alto)
Winterflounder (iDefense)
Primitive Bear (CrowdStrike)
BlueAlpha (Recorded Future)
CountryRussia Russia
SponsorState-sponsored, FSB 16th & 18th Centers
MotivationInformation theft and espionage
First seen2013
Description(Lookingglass) The Lookingglass Cyber Threat Intelligence Group (CTIG) has been tracking an ongoing cyber espionage campaign named “Operation Armageddon”. The name was derived from multiple Microsoft Word documents used in the attacks. “Armagedon” (spelled incorrectly) was found in the “Last Saved By” and “Author” fields in multiple Microsoft Word documents. Although continuously developed, the campaign has been intermittently active at a small scale, and uses unsophisticated techniques. The attack timing suggests the campaign initially started due to Ukraine’s decision to accept the Ukraine-­‐European Union Association Agreement (AA). The agreement was designed to improve economic integrations between Ukraine and the European Union. Russian leaders publicly stated that they believed this move by Ukraine directly threatened Russia’s national security. Although initial steps to join the Association occurred in March 2012, the campaign didn’t start until much later (mid‐2013), as Ukraine and the EU started to more actively move towards the agreement.

Russian actors began preparing for attacks in case Ukraine finalized the AA. The earliest identified modification timestamp of malware used in this campaign is June 26, 2013. A group of files with modification timestamps between August 12 and September 16, 2013 were used in the first wave of spear-phishing attacks, targeting government officials prior to the 10th Yalta Annual Meeting: “Changing Ukraine in a Changing World: Factors of Success.”
ObservedSectors: Defense, Government, Law enforcement, NGOs and diplomats and journalists.
Countries: Ukraine.
Tools usedAversome infector, EvilGnome, FRAUDROP, Gamaredon, Pteranodon, RMS, Resetter, UltraVNC.
Operations performedApr 2019The discovered attack appears to be designed to lure military personnel: it leverages a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019.
<https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/>
May 2019The Gamaredon attacks against Ukraine doesn’t seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group.
<https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/>
Jul 2019EvilGnome: Rare Malware Spying on Linux Desktop Users
<https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/>
Oct 2019Lure documents observed appear to target Ukrainian entities such as diplomats, government employees, military officials, and more.
<https://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z>
Nov 2019New wave of attacks
<https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/>
Dec 2019Gamaredon APT Improves Toolset to Target Ukraine Government, Military
<https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/>
Mar 2020Moving into March 2020, countries worldwide are still struggling to manage the spread of the viral disease now known as COVID-19. In cyberspace, threat actors are using the topic of COVID-19 to their advantage with numerous examples of malicious activity using COVID-19 as lure documents in phishing campaigns.
<https://info.ai.baesystems.com/rs/308-OXI-896/images/COVID-19-Infographic-Mar2020.pdf>
Apr 2020The attacks we found all arrived through targeted emails (MITRE ATT&CK framework ID T1193). One of them even had the subject “Coronavirus (2019-nCoV).”
<https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/>
Information<https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf>
<https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/>
<https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html>
<https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/>
<https://www.recordedfuture.com/bluealpha-iranian-apts/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0047/>

Last change to this card: 04 August 2020

Download this actor card in PDF or JSON format

Previous: Gallmaker
Next: Gangnam Industrial Style

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key