Russian threat actor Shuckworm, a member of the Federal Security Service (FSB) of Russia, has stepped up its cyberattack campaign targeting Ukrainian organisations in an effort to infiltrate their environments and steal important data. According to a Symantec analysis, the most common targets of the current breaches, which started in February or March 2023, were security services, military, and governmental organisations.
The cybersecurity firm disclosed that the Russian gang had carried out persistent breaches, some of which lasted as long as three months. During these attacks, Shuckworm's goal is to access sensitive data and exfiltrate it. Reports on the fatalities of Ukrainian service members, enemy engagements and airstrikes, reports on the inventory of the armament, reports on training, and more make up the targeted data.
Shuckworm has been active at least since 2013. It is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. In order to lure victims into opening malicious email attachments, it typically uses spear-phishing campaigns as part of its cyber espionage operations. As a result, information thieves like Giddome, Pterodo, GammaLoad, and GammaSteel are introduced onto affected systems.
In its profile of the threat actor, Secureworks emphasises how Shuckworm forgoes some operational security in favour of rapid-fire operations. Due to the regular usage of particular Dynamic DNS providers, Russian hosting providers, and remote template injection techniques, identifiable infrastructure is produced.
The Pterodo backdoor was spread using USB drives by the Shuckworm in the most recent round of infections that Symantec has catalogued. The threat actor has developed on its well-known practise of using Telegram channels to find the IP addresses of servers hosting payloads by storing command-and-control (C2) addresses on Telegraph, a blogging site owned by Telegram.
Additionally, the Shuckworm makes use of the PowerShell script "foto.safe," which is supplied via tainted USB drivers. By having the capacity to download more malware onto the infected host, this script can expand the threat actor's influence and scope.
The adversary successfully compromised the systems of the human resources departments within the targeted organisations, according to a study of the intrusions. This implies that Shuckworm is actively looking for details about certain people connected to these entities.
These findings highlight Shuckworm's continued reliance on transient infrastructure and its continual innovation of evasion strategies and tools. Due to the threat actor's flexibility and agility, it is extremely difficult for defences to recognise and successfully stop its operations.
These discoveries follow Microsoft's recent discussion of disruptive attacks, espionage, and information operations carried out by Cadet Blizzard, another Russian nation-state entity that targets Ukraine. Shuckworm's continued focus on Ukraine suggests a concentrated attempt by organisations with support from the Russian nation-state to obtain information that might help their military actions.
The persistence and intensification of cyberthreats coming from Russia underline the significance of expanding threat intelligence sharing, strengthening cybersecurity measures, and putting in place strong defence systems. Protecting critical infrastructure and reducing the negative effects of state-sponsored cyber actors on national security depend on quick identification and action.
Comments
Post a Comment