Specialists of the Government Computer Emergency Response Team of Ukraine CERT-UA analysed the tactics, techniques, and procedures used by hackers of one of the most active and dangerous Russian hacker groups – UAC-0010 (Armageddon/Gamaredon). As a reminder, it involves former “officers” from the Security Service of Ukraine in Crimea who betrayed the Motherland in 2014 and began to serve Russia’s FSB.
The main task of the group is cyber espionage against the security and defence forces of Ukraine. It is also known for at least one case of destructive activity at an information infrastructure facility.
According to CERT-UA, the number of simultaneously infected computers, which mainly function within the information and communication systems of state bodies, can reach several thousand.
How hackers attack:
- As a vector of primary compromise, hackers mostly use e-mails and messages in messengers (Telegram, WhatsApp, Signal) sent through previously compromised accounts. The most common way is to send a victim an archive containing an HTM or HTA file, the opening of which initiates the infection chain.
- To spread malicious programmes, it is possible to damage removable media and legitimate files (in particular, shortcuts) and modify Microsoft Office Word templates, which ensures the infection of all documents created on a computer by adding the appropriate macro.
- After initial damage, attackers can steal files with .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb extensions within 30-50 minutes – mostly with GAMMASTEEL malware.
A computer functioning in an affected state for about a week can have from 80 to 120 or more malicious (infected) files, not including those created on removable media that will be connected to the computer during this period.