Gamaredon hackers target Ukrainian military orgs amid counteroffensive efforts

The Moscow-backed hacking group known as Gamaredon is ramping up its attacks on Ukraine's military and government agencies amid the country’s long-awaited counteroffensive.

Ukraine's push is seen as a pivotal phase in the ongoing war. Western allies, including the U.S., are closely monitoring the country's military advancements, providing weapons to aid Kyiv's efforts. But Russia is trying to disrupt Ukraine's offensive operation both on the battlefield and in cyberspace.

Gamaredon hackers, in particular, have recently stepped up their efforts against Ukrainian military organizations and government entities, according to a report published Thursday by Ukraine’s National Coordination Center for Cybersecurity (NCCC).

Gamaredon operates from the Russian-annexed Crimean peninsula and acts on orders from Russia’s Federal Security Service (FSB) in Moscow.

The primary objectives of its attacks are espionage and data theft, according to cybersecurity experts and government officials. In a previous report, the Ukrainian computer emergency response team (CERT-UA), said that the group has also been linked to at least one destructive cyberattack against an unspecified information infrastructure facility.

Read More: GRU hacking tools targeting Ukrainian military devices detailed by Five Eyes

Before Ukraine's counteroffensive began in June of this year, Gamaredon prepared its infrastructure to launch cyberattacks by registering new domains and subdomains. This infrastructure was later used to target Ukrainian military and security organizations, NCCC said.

To hide its activity from targets and researchers, the group’s malware retrieves domain names from legitimate services such as Cloudflare, Telegram, and Telegraph instead of using its real IP addresses.

The Ukrainian government is considering restricting the use of Telegram and Telegraph services to better detect activity from threat actors like Gamaredon, according to NCCC.

Gamaredon phishing campaigns stand out due to their use of legitimate documents stolen from compromised entities. The malicious emails are often disguised as reports or official communications, according to NCCC.

Gamaredon’s malware toolkit includes GammaDrop, GammaLoad, GammaSteel and LakeFlash, but it is constantly evolving.

One of the group’s most distinctive malware strains is Pterodo — a multipurpose tool designed for espionage and data exfiltration. Ukrainian researchers called it “a potent threat, capable of infiltrating and compromising targeted systems with precision.”

While Gamaredon is not the most technically advanced hacking group targeting Ukraine, "the growing frequency of their attacks suggest an expansion in the hacker's operational capacity and resources," the research said. “The alignment of their activities with critical military events amplifies the group’s potential impact.”