According to a report by the BlackBerry Research and Intelligence Team, the Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital attacks against Ukraine, utilizing the popular messaging app Telegram to target the country’s military and law enforcement sectors.
The group, also known by various other names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has been known to target Ukrainian entities since at least 2013.
The report states that the group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, leading the victim to the next stage server for the final payload. This method of infecting target systems is a new tactic employed by the group.
Additionally, the report highlights that Gamaredon has evolved its tactics, using a hard-coded Telegram channel to fetch the IP address of the server hosting the malware. The IP addresses are periodically rotated to evade detection.
The malware being delivered is an information-stealing malware that was previously revealed by Cisco Talos in September 2022.
BlackBerry also noted that the group changes IP addresses dynamically, making it harder to automate analysis through sandbox techniques. Furthermore, the group is suspected to be working from one location, with all probability belonging to an offensive cyber unit that deploys malicious operations against Ukraine.
The development of this report comes as the Computer Emergency Response Team of Ukraine (CERT-UA) attributed a destructive malware attack targeting the National News Agency of Ukraine to the Russia-linked Sandworm hacking group.