Russia-backed Gamaredon still ‘most engaged’ hacker group in Ukraine
The Russia-backed threat actor known as Gamaredon has improved its cyberespionage capabilities in Ukraine and remains “the most engaged” state-sponsored hacker group in the country, according to a new report.
Gamaredon, also tracked as Armageddon, has been active since at least 2013 and likely operates from the Russian-annexed Crimean peninsula. The group is believed to act on orders from Russia’s Federal Security Service (FSB).
While the majority of Gamaredon’s attacks target Ukrainian governmental institutions, researchers at the Slovak-based cybersecurity firm ESET discovered that since Russia’s invasion of Ukraine in 2022 the group has also attempted to attack Ukraine’s allies in several NATO countries, including Bulgaria, Latvia, Lithuania, and Poland.
The volume of Gamaredon’s attacks on Ukraine is prolific, researchers said. In 2022 and 2023, they observed more than a thousand unique devices in Ukraine targeted by the group.
Gamaredon has introduced multiple new tools to its arsenal but it is still not technically sophisticated, and the hackers hardly bother to hide their activity, according to the researchers. Its operators “are reckless and do not mind being discovered by defenders during their operations,” they said.
However, the hackers put in significant effort to avoid being blocked by security products and try hard to maintain access to compromised systems by frequently updating their tools and regularly changing obfuscation techniques.
To gain initial access to victims’ systems, the group primarily relies on spearphishing campaigns, using custom malware to infect Word documents and USB drives.
Ukraine has previously warned about the cyber threats posed by Gamaredon, referring to the group as “one of the most active and dangerous threat actors targeting Ukraine during its war with Russia.” In August, Gamaredon targeted Ukraine’s military and government agencies during the country's long-anticipated counteroffensive.
In 2022, the group attempted to compromise a large petroleum refining company within a NATO member state. And in June, two hackers likely linked to Gamaredon were sanctioned by the European Council for attacks on the EU.
ESET claims that Gamaredon’s primary focus remains Ukraine, and “this trend will continue without significant shifts in targeting.”
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.