The Russian cyber espionage group known as Shuckworm has escalated its targeted attacks on Ukrainian entities, with the aim of stealing sensitive information from compromised systems. Symantec’s latest report reveals that the recent intrusions, which began in February/March 2023, primarily targeted security services, military organizations, and government entities.
In some instances, the Russian group managed to maintain prolonged access to the compromised environments, with intrusions lasting up to three months. The attackers focused on accessing and stealing critical information, such as reports on the deaths of Ukrainian service members, enemy engagements, air strikes, arsenal inventories, and training reports.
Shuckworm, also known by various other names such as Aqua Blizzard, Gamaredon, and Winterflounder, has been attributed to Russia’s Federal Security Service (FSB) and has been active since at least 2013. The group employs spear-phishing campaigns to lure victims into opening malicious attachments, leading to the deployment of information stealers like Giddome, Pterodo, GammaLoad, and GammaSteel on infected systems. Secureworks notes that Shuckworm prioritizes high-tempo operations over operational security, which makes its infrastructure identifiable through the regular use of specific Dynamic DNS providers, Russian hosting providers, and remote template injection techniques.
Symantec’s report highlights the latest set of attacks conducted by Shuckworm, revealing that the threat actors have adopted a new PowerShell script to propagate the Pterodo backdoor via USB drives. The grohttps://staging.cybermaterial.com/russian-state-hackers-attack-ukrainian-entities/up has expanded its techniques by utilizing Telegram channels to retrieve IP addresses of servers hosting payloads, and it has also started storing command-and-control (C2) addresses on Telegraph, a blogging platform owned by Telegram. Furthermore, Shuckworm employs a PowerShell script called “foto.safe” that spreads through compromised USB drivers and has the capability to download additional malware onto compromised hosts.
The persistent targeting of Ukrainian entities by Shuckworm demonstrates the group’s unrelenting focus on Ukraine and its ongoing efforts to gather data that may aid their military operations. These findings align with recent revelations by Microsoft regarding destructive attacks, espionage, and information operations conducted by another Russian nation-state actor known as Cadet Blizzard, further indicating the continuous threat posed by Russian-backed cyber attack groups in Ukraine
