The genuine identities of five persons reportedly involved in attacks against Ukraine institutions ascribed to a cyber-espionage organization known as Gamaredon were revealed on Thursday by Ukraine’s top law enforcement and counterintelligence agency, which linked the members to Russia’s Federal Security Service (FSB).
The Security Service of Ukraine (SSU) described the hacking group as “an FSB special project that exclusively targeted Ukraine,” adding that the offenders “are officers of the ‘Crimean’ FSB and traitors who deserted to the enemy during the takeover of the peninsula in 2014.”
Sklianko Oleksandr Mykolaiovych, Miroshnychenko Oleksandr Valeriiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, and Sushchenko Oleh Oleksandrovych are the names of the five people the SSU claims are involved in the covert operation.
Since its debut in 2013, the Russia-linked Gamaredon gang (also known as Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) has been involved in a series of harmful phishing attempts, especially targeting Ukrainian institutions.
The malicious actor has carried out over 5,000 cyberattacks targeting public authorities and key infrastructure in the country. This actor also made attempts to infect more than 1,500 computer systems used by the government. Most cyberattacks are aimed to obtain intelligence information from security, defense, and law enforcement institutions.
Gamaredon is an infiltration vector and depends heavily on social engineering techniques. It has also invested in various tools for darting through an organization’s defenses coded across multiple programming languages like VB Script, C++, C#, and using PowerShell, CMD, and .NET command shells.
Citing a technical report, the agency said that the organization’s operations are marked by intrusiveness and bravado.
The most dangerous malware in its arsenal is Pterodo (also called Pteranodon). It is a modular remote administration tool that includes remote access, keystroke logging, taking screenshots, accessing the microphone, and downloading more modules from a remote server.
They also used .NET-based file stealer that collects files with the following extensions: *.doc, *.docx, *.odt, *.jpg, *.xls, *.rtf, *.pdf, and *.txt.
The third tool is a malicious payload designed to propagate malware via linked removable media while also gathering and siphoning data off from those devices.