🇷🇺

Callisto

APT Group Information theft and espionage 4 zero-day CVEs ETDA ✓

Also Known As 10 names

Blue Callisto BlueCharlie COLDRIVER GOSSAMER BEAR IRON FRONTIER SEABORGIUM Star Blizzard TA446 TAG-53 UNC4057

Target Countries 11

Countries highlighted in red

Germany Estonia France United Kingdom Greece Latvia Norway Poland Sweden Ukraine United States

Sectors Targeted

Administrative and Support and Waste Management and Remediation Services 56 Justice, Public Order, and Safety Activities 922 Public Administration 92 Colleges, Universities, and Professional Schools 6113 Management, Scientific, and Technical Consulting Services 5416 Computer Systems Design and Related Services 54151 Administrative and Support Services 561 Periodical Publishers 51112 Electric Power Generation 22111 Insurance Carriers and Related Activities 524 Publishing Industries (except Internet) 511 Employment Placement Agencies and Executive Search Services 56131 National Security and International Affairs 9281 Grantmaking and Giving Services 8132 Investigation, Guard, and Armored Car Services 56161 Educational Services 61 Religious, Grantmaking, Civic, Professional, and Similar Organizations 813 National Security and International Affairs 928 National Security and International Affairs 928110 Motion Picture and Video Production 51211 Professional, Scientific, and Technical Services 54 Space Research and Technology 927 Information 51 Utilities 22 Internet Publishing and Broadcasting and Web Search Portals 51913 Computer Systems Design Services 541512 Security Guards and Patrol Services 561612 Personal Care Services 8121

Details

Origin 🇷🇺 RU

Last Updated 01 Jun 2022

MITRE ATT&CK 70

T1001 T1003 T1005 - Data from Local System T1012 - Query Registry T1016 - System Network Configuration Discovery T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1033 - System Owner/User Discovery T1036 - Masquerading T1041 - Exfiltration Over C2 Channel T1049 - System Network Connections Discovery T1053.005 - Scheduled Task T1056.001 - Keylogging T1057 - Process Discovery T1059 T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.006 - Python T1059.007 T1064 T1070 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 - Data Staged T1078 T1082 - System Information Discovery T1083 - File and Directory Discovery T1102 - Web Service T1105 - Ingress Tool Transfer T1112 - Modify Registry T1114 T1114.002 T1114.003 T1115 - Clipboard Data T1120 - Peripheral Device Discovery T1124 - System Time Discovery T1129 T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T1204 - User Execution T1204.002 - Malicious File T1217 - Browser Bookmark Discovery T1218 T1221 T1518 - Software Discovery T1539 T1547.001 - Registry Run Keys / Startup Folder T1550 T1550.004 T1553 T1566 - Phishing T1566.001 T1571 - Non-Standard Port T1583 T1583.001 T1585 T1585.001 T1585.002 T1586 T1586.002 T1588 T1588.002 T1589 T1593 T1598 T1598.002 T1598.003 T1608 T1608.001 T1614 - System Location Discovery

Related Zero-Days 4

CVE-2022-30190 CVE-2023-36884 CVE-2023-38831 CVE-2024-4947

Known Names 17 entries

Gamaredon Group Palo Alto

Winterflounder iDefense

Primitive Bear CrowdStrike

BlueAlpha Recorded Future

Blue Otso PWC

Iron Tilden SecureWorks

Armageddon SSU

SectorC08 ThreatRecon

Callisto NATO Association of Canada

Shuckworm Symantec

Actinium Microsoft

Trident Ursa Palo Alto

DEV-0157 Microsoft

UAC-0010 CERT-UA

Aqua Blizzard Microsoft

UNC530 ?

G0047 MITRE

Observed Target Countries 42

Based on ETDA data — countries highlighted in red

Albania Austria Australia Bangladesh Brazil Canada Chile China Colombia Croatia Denmark Georgia Germany Guatemala Honduras India Indonesia Iran Israel Italy Japan Kazakhstan Latvia Malaysia Netherlands Nigeria Norway Pakistan Papua New Guinea Poland Portugal Romania Russia South Africa South Korea Spain Sweden Turkey UK Ukraine USA Vietnam

Description

(Lookingglass) The Lookingglass Cyber Threat Intelligence Group (CTIG) has been tracking an ongoing cyber espionage campaign named “Operation Armageddon”. The name was derived from multiple Microsoft Word documents used in the attacks. “Armagedon” (spelled incorrectly) was found in the “Last Saved By” and “Author” fields in multiple Microsoft Word documents. Although continuously developed, the campaign has been intermittently active at a small scale, and uses unsophisticated techniques. The attack timing suggests the campaign initially started due to Ukraine’s decision to accept the Ukraine-‐European Union Association Agreement (AA). The agreement was designed to improve economic integrations between Ukraine and the European Union. Russian leaders publicly stated that they believed this move by Ukraine directly threatened Russia’s national security. Although initial steps to join the Association occurred in March 2012, the campaign didn’t start until much later (mid‐2013), as Ukraine and the EU started to more actively move towards the agreement. Russian actors began preparing for attacks in case Ukraine finalized the AA. The earliest identified modification timestamp of malware used in this campaign is June 26, 2013. A group of files with modification timestamps between August 12 and September 16, 2013 were used in the first wave of spear-phishing attacks, targeting government officials prior to the 10th Yalta Annual Meeting: “Changing Ukraine in a Changing World: Factors of Success.”

Tools Used 22

Aversome infector BoneSpy DessertDown DilongTrash DinoTrain EvilGnome FRAUDROP Gamaredon GammaDrop GammaLoad GammaSteel ObfuBerry ObfuMerry PlainGnome PowerPunch Pteranodon QuietSieve RemcosRAT RMS Resetter SUBTLE-PAWS UltraVNC

Operations 30

2019-04 The discovered attack appears to be designed to lure military personnel: it leverages a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019. https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/

2019-05 The Gamaredon attacks against Ukraine doesn’t seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group. https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/

2019-07 EvilGnome: Rare Malware Spying on Linux Desktop Users https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/

2019-10 Lure documents observed appear to target Ukrainian entities such as diplomats, government employees, military officials, and more. https://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z

2019-11 New wave of attacks https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/

2019-12 Gamaredon APT Improves Toolset to Target Ukraine Government, Military https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/

2020-03 Moving into March 2020, countries worldwide are still struggling to manage the spread of the viral disease now known as COVID-19. In cyberspace, threat actors are using the topic of COVID-19 to their advantage with numerous examples of malicious activity using COVID-19 as lure documents in phishing campaigns. https://info.ai.baesystems.com/rs/308-OXI-896/images/COVID-19-Infographic-Mar2020.pdf

2020 Early Since the beginning of 2020 there are reports that APT group has taken advantage of the coronavirus pandemic and used it as a lure to attract victims to open malicious attachments sent with spearphishing emails. https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf

2020-04 The attacks we found all arrived through targeted emails (MITRE ATT&CK framework ID T1193). One of them even had the subject “Coronavirus (2019-nCoV).” https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/

2021-01 Russia-Sponsored Group Employs Apparently Legitimate Documents Aligned to Growing Hostilities Between Russia and Ukraine https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes

2021-07 Shuckworm Continues Cyber-Espionage Attacks Against Ukraine https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

2021-10 Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis. https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

2021-12 Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT https://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware

2022-01 Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

2022-02 Gamaredon APT utilised new malware payloads to target Ukraine https://www.izoologic.com/2022/02/23/gamaredon-apt-utilised-new-malware-payloads-to-target-ukraine/

2022-02 Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine https://unit42.paloaltonetworks.com/trident-ursa/

2022-03 Network Footprints of Gamaredon Group https://blogs.cisco.com/security/network-footprints-of-gamaredon-group

2022-04 Ukraine spots Russian-linked 'Armageddon' phishing attacks https://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/

2022-04 Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine

2022-05 Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT https://securityaffairs.co/wordpress/131296/breaking-news/cert-ua-warns-armageddon-apt.html

2022-07 Shuckworm: Russia-Linked Group Maintains Ukraine Focus https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm

2022-09 Gamaredon APT targets Ukrainian government agencies in new campaign https://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/

2022-11 Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations

2022-11 Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html

2023-01 Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware https://therecord.media/russia-backed-hacker-group-gamaredon-attacking-ukraine-with-info-stealing-malware/

2024-01 Operation “STEADY#URSA” Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/

2024-09 BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf

2024-10 ESET Research: Russia’s Gamaredon APT group unleashed spearphishing campaigns against Ukraine with an evolved toolset https://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/

2024-11 Gamaredon campaign abuses LNK files to distribute Remcos backdoor https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/

2025-02 Shuckworm Targets Foreign Military Mission Based in Ukraine https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel

Reports & References 13

https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/ https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/ https://www.recordedfuture.com/bluealpha-iranian-apts/ https://www.ria.ee/sites/default/files/js/tale_of_gamaredon_infection.pdf https://blog.talosintelligence.com/2021/02/gamaredonactivities.html https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military https://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/ https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/Gamaredon_activity.pdf https://web-assets.esetstatic.com/wls/en/papers/white-papers/cyberespionage-gamaredon-way.pdf https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/

ETDA Profile

Gamaredon Group

Origin

Russia

First Seen 2013

Sponsor State-sponsored, FSB Centre 18: Centre for Information Security (TsIB)

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0047/

View on ETDA APT Groups ↗