- ITDM 2025 전망 | 금융 플랫폼 성패, 지속가능한 사업 가치 창출에 달렸다” KB국민카드 이호준 그룹장
- “고객경험 개선하고 비용은 절감, AI 기반까지 마련” · · · AIA생명의 CCM 프로젝트 사례
- 2025年、CIOはAIに意欲的に投資する - そしてその先も
- The best robot vacuums for pet hair of 2024: Expert tested and reviewed
- These Sony headphones eased my XM5 envy with all-day comfort and plenty of bass
Ukraine’s CERT-UA Exposes Gamaredon’s Rapid Data Theft Methods
The Ukrainian government’s Computer Emergency Response Team (CERT-UA) has recently unveiled the rapid data theft methods of the APT known as UAC-0010 (aka Armageddon, Gamaredon).
Writing in a new advisory (in Ukrainian) published on July 13, 2023, CERT-UA said Gamaredon comprises former Ukrainian Security Service (SBU) officers in Crimea, who defected in 2014 and started serving the Russian FSB.
Gamaredon’s primary aim is cyber espionage against Ukraine’s security forces, with evidence of destructive actions on information infrastructure targets.
The group mainly infects government computers, particularly within communication systems, often using compromised accounts and various tactics such as emails and Telegram, WhatsApp and Signal messages.
They also utilize malware like GammaSteel to rapidly exfiltrate files within 30-50 minutes, primarily focusing on documents with specific extensions.
After the initial infection, a victim’s computer may contain 80 to 120 malicious files for about a week, excluding files on removable media. Reinfection is highly likely if any infected files are left during the disinfection process.
Gamaredon’s preferred method of initial compromise involves sending victims an archive containing HTM or HTA files that initiate the infection chain.
The group heavily relies on PowerShell for document theft and remote command execution, and they may install Anydesk for interactive remote access.
To evade detection, Gamaredon continuously adapts to defensive measures, using PowerShell scripts to bypass two-factor authentication and changing IP addresses frequently.
The CERT-UA article provides a list of indicators of compromise (IoC) for the effective detection of Gamaredon.
It also urges Ukrainian military personnel to install endpoint detection and threat response (EDTR) software to minimize risks, especially for systems outside the protection perimeter, including those using Starlink terminals for Internet access.
The advisory follows findings published by Symantec in June suggesting Gamaredon intensified attacks on Ukraine between January and April 2023.
