Russian state hackers abuse Cloudflare services to spy on Ukrainian targets

A Russian state-sponsored hacker group, known as Gamaredon, has been targeting Ukrainian-speaking victims in an ongoing cyber-espionage campaign, researchers have found.

Gamaredon, also tracked as BlueAlpha, has been previously described as one of “the most engaged” Moscow-backed hacker groups in Ukraine. It has been active since at least 2013 and likely operates from the Russian-annexed Crimean peninsula. The group is believed to act on orders from Russia’s Federal Security Service (FSB).

In its latest campaign, the group has been observed using Cloudflare Tunnels — a tool that helps hide the real location of servers or infrastructure — to infect their targets with custom GammaDrop malware and stay undetected, according to Recorded Future’s Insikt Group. The Record is an editorially independent unit of Recorded Future.

“Cloudflare Tunnels have been gaining momentum as a defense evasion technique due to their ease of setup and the fact that they have no cost to the user in most cases,” researchers said.

Earlier in August, another security company, Proofpoint, reported observing an increase in malware delivery via Cloudflare Tunnel abuse. The attacks they detected were financially motivated.

In a comment to Recorded Future News, Cloudflare stated that it disables and takes down malicious tunnels as soon as they are discovered.

“We continuously work alongside various industry partners – including Recorded Future – to deter abuse on our platform,” a company spokesperson said.

In recent years, Cloudflare said it has introduced machine learning-based detections in its tunnel product to better address malicious activity.

“We encourage security vendors to submit any suspicious URLs, and we will take action against any customers who use our services for malware,” the company added.

To deliver GammaDrop to the targeted systems, the hackers used malicious email attachments. GammaDrop is a payload used to establish a foothold on a victim's machine and deliver GammaLoad, the group’s custom backdoor.

Insikt Group said that the latest GammaDrop sample they obtained has been obfuscated with “extensive amounts” of junk code and random variable names, making it harder to detect and analyze.

According to researchers, the group will likely continue improving its evasion techniques, including by using popular legitimate services like Cloudflare.

Researchers haven’t disclosed which Ukrainian organizations the hackers targeted or the results of the campaign, but Gamaredon is known for using malware that allows hackers to exfiltrate data, steal credentials, execute additional payloads and maintain persistent access to compromised networks.

In August, around the same time Insikt Group said they obtained the GammaDrop sample, the group targeted Ukraine’s military and government agencies during the country's long-anticipated counteroffensive. In a report published at that time by Ukraine’s National Coordination Center for Cybersecurity (NCCC), the agency said that to hide its activity from targets and researchers, the group’s malware retrieves domain names from legitimate services such as Cloudflare, Telegram and Telegraph instead of using its real IP addresses.

Editor's Note: Story updated December 6 at 7:45 a.m. Eastern U.S. time with statement from Cloudflare.