Tainted drive appears to be source of malware attack on Western military mission in Ukraine

The Russia-backed threat group Gamaredon, typically known for spreading malware via phishing emails, recently appeared to have used an infected removable drive to target a Ukraine-based military mission of an unnamed Western country, researchers said.

The malware was an updated version of GammaSteel, which is used to steal data, according to researchers at the U.S. cybersecurity firm Symantec who analyzed the latest attacks. The campaign was active in February and March, the report said. The researchers did not describe the removable drive.

After the infection, Gamaredon used new tactics to conceal its activity from both researchers and victims. GammaSteel was deployed via a complex, multi-stage attack chain, Symantec said.

Gamaredon — also known as Shuckworm and BlueAlpha — has been active since at least 2013 and is believed to operate from the Russian-annexed Crimean Peninsula under the control of Russia’s Federal Security Service (FSB). Since the beginning of the Russian invasion, the group has consistently targeted Ukraine. In 2023 alone, the country detected 277 cyber incidents attributed to the group.

While Gamaredon primarily conducts cyberespionage operations against Ukrainian security and defense services, it has also been linked to at least one destructive cyberattack against an unspecified information infrastructure facility.

Symantec did not disclose the targeted organization, the effects of the GammaSteel campaign or the nature of the data the hackers attempted to steal.

The latest incident appears to mark an increase in sophistication for Gamaredon, which has generally been considered less skilled than other Russian threat actors. The group seems to be continuously modifying its code, adding layers of obfuscation, and leveraging legitimate web services, researchers said.

“This campaign also demonstrates that the group remains laser-focused on targeting entities within Ukraine for espionage purposes,” they added.

Earlier in March, researchers at cybersecurity firm Cisco Talos reported an ongoing operation by Gamaredon aimed at installing a surveillance tool on Ukrainian computers. As part of this campaign, Gamaredon used phishing emails containing malicious files related to troop movements in Ukraine to infect victims.

In December, the group was observed using Cloudflare Tunnels — a tool that helps hide the real location of servers or infrastructure — to infect targets with custom GammaDrop malware and remain undetected, according to Recorded Future’s Insikt Group. The Record is an editorially independent unit of Recorded Future.

Earlier last year, two hackers affiliated with the FSB were sentenced in absentia to 15 years in prison in Ukraine for carrying out cyberattacks against state institutions. The pair is reportedly connected to Gamaredon.