Russian threat actor known as Shamushi continues cyberattacks against Ukrainian organizations with the aim of stealing sensitive information from compromised environments.
Targets of the recent intrusions, which began between February and March 2023, include security services, the military and government agencies, Symantec said in a new report shared with HackerNews.
“In some cases, Russian groups have managed to stage long-lasting intrusions that last as long as three months,” said the cybersecurity firm.
“Attackers repeatedly attempted to access and steal classified information, including reports on the deaths of Ukrainian soldiers, reports on enemy engagements and airstrikes, arsenal inventory reports, and training reports. ”
Shuckworm, also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is believed to have been attributed to the Russian Federal Security Service (FSB). I’m here. It is said to have been active since at least 2013.
Cyber-espionage consists of spear-phishing campaigns designed to lure victims into opening plagiarized attachments, which ultimately end up on infected hosts such as Giddome, Pterodo, GammaLoad and GammaSteel. It leads to the introduction of information-stealing methods.
According to Secureworks, “Iron Tilden sacrifices some operational security in favor of high-tempo operations, which means certain dynamic DNS providers, Russian hosting providers, and regular use of remote template injection techniques. This makes its infrastructure identifiable,” notes the threat actor profile.
In a series of recent attacks detailed by Symantec, attackers have been observed using a new PowerShell script to spread the Pterodo backdoor via USB drives.
While it is well-documented that Shuckworm uses Telegram channels to obtain the IP addresses of servers hosting its payload, threat actors have expanded this technique to include command and control (C2 ) is said to have stored addresses in Telegraph. telegram.
The group also uses a PowerShell script (“foto.safe”) that spreads through a compromised USB driver and has the ability to download additional malware onto the host.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
Further analysis of the intrusion shows that the attackers compromised machines in the Human Resources departments of the targeted organizations, suggesting that they were attempting to gather information about various individuals working for these organizations. .
This finding is another sign of Shuckworm’s continued reliance on short-lived infrastructure and the continued evolution of tactics and tools to stay ahead of the detection curve.
The reports also arrive a day after Microsoft revealed destructive attacks, espionage and intelligence operations carried out by another Russian nation-state actor known as Cadet Blizzard targeting Ukraine. bottom.
“This activity demonstrates Shuckworm’s continued relentless focus on Ukraine,” Symantec said. “It seems clear that Russian nation-state-backed strike groups continue to laser strike Ukrainian targets in an attempt to find data that could aid military operations.”
