Gamaredon

Background

Gamaredon, also known as Primitive Bear and Aqua Blizzard, is a cyber espionage group attributed to Russia's Federal Security Service (FSB), specifically operating from FSB offices in occupied Crimea. In November 2021, Ukraine's Security Service (SSU) publicly identified five FSB officers by name as members of the group, all operating from the Crimean city of Sevastopol. This made Gamaredon one of the few threat groups with publicly identified individual operators, providing high-confidence attribution.

The group has been active since at least 2013, shortly before Russia's annexation of Crimea, and focuses almost exclusively on Ukrainian targets. Gamaredon is the most prolific threat actor targeting Ukraine, conducting thousands of attacks per year against government agencies, military organizations, law enforcement, judiciary, NGOs, and media. The SSU attributed over 5,000 cyberattacks to the group by late 2021, a number that has increased dramatically since Russia's 2022 invasion.

Unlike more technically sophisticated Russian groups like Turla or APT29, Gamaredon compensates with volume, speed, and persistence. The group rapidly iterates on relatively simple but effective techniques, deploying waves of phishing campaigns and continuously updating their malware to evade detection. They prioritize broad collection from Ukrainian government networks over surgical targeting, and their operations have provided intelligence supporting Russian military operations in Ukraine. Despite their lower technical sophistication, Gamaredon's relentless operational tempo makes them one of the most impactful threats to Ukrainian cybersecurity.

Notable Campaigns

Pre-Invasion Ukrainian Government Targeting (2013-2021) — From its inception, Gamaredon conducted persistent spearphishing campaigns against Ukrainian government email systems, military command structures, and law enforcement agencies. The group maintained continuous access to multiple Ukrainian government networks, cycling through malware variants to maintain persistence despite repeated detection and remediation efforts.

Escalation During Russian Invasion (2022-Present) — Gamaredon dramatically escalated operations in support of Russia's full-scale invasion of Ukraine in February 2022. The group shifted to faster operational cycles, deploying new malware variants weekly and targeting military personnel's personal devices alongside government systems. CERT-UA documented hundreds of Gamaredon campaigns throughout 2022-2023, making it the single most active threat group in the conflict.

LitterDrifter USB Worm Campaign (2023) — Check Point Research disclosed Gamaredon's LitterDrifter, a VBS-based USB worm designed to spread through removable drives and establish C2 communications. While primarily targeting Ukrainian entities, the worm's self-propagating nature caused infections to spread beyond Ukraine to organizations in the United States, Vietnam, Chile, Poland, Germany, and Hong Kong, demonstrating the collateral risk of self-replicating malware.

SickSync Campaign Targeting Ukrainian Military (2024) — CERT-UA reported Gamaredon deploying a modified version of the legitimate Syncthing file synchronization tool, dubbed SickSync, to exfiltrate documents from Ukrainian defense force personnel. The campaign targeted military messaging applications and document stores, focusing on operational intelligence relevant to the ongoing conflict.

Telegram Account Targeting (2022-2024) — Gamaredon has consistently targeted Telegram accounts of Ukrainian military and government personnel, attempting to hijack sessions to access communications and contact lists. The group sends phishing messages through compromised accounts, leveraging trust relationships to expand access within military communication networks.

Tactics, Techniques & Procedures

Initial Access — Gamaredon's primary vector is mass spearphishing campaigns using weaponized documents (T1566.001) and links to malicious archives (T1566.002). Lure documents typically reference Ukrainian government correspondence, military orders, or current events related to the conflict. The group sends phishing emails from previously compromised government email accounts to maximize credibility. Attachments are commonly macro-enabled documents, HTM files with embedded scripts, or password-protected archives containing LNK files.

Execution & Payload Delivery — Gamaredon relies heavily on scripting languages: VBScript (T1059.005), PowerShell (T1059.001), and batch files (T1059.003). The group uses template injection (T1221) in Office documents, where a benign-looking document fetches a malicious remote template containing macros or exploits. This technique bypasses email attachment scanning since the document itself contains no malicious code. Multi-stage chains typically progress from a document through several script layers before deploying the final payload.

Persistence & Propagation — Registry run keys (T1547.001) and scheduled tasks (T1053.005) provide persistence. Gamaredon's LitterDrifter and earlier USB tools (T1091) spread through removable drives by creating hidden LNK files mimicking the names of legitimate folders on the drive. The group modifies Microsoft Office templates to ensure all documents created on an infected machine contain malicious macros, enabling spread through normal document sharing.

Collection & Exfiltration — Gamaredon focuses on document theft, targeting files with extensions including .doc, .docx, .xls, .xlsx, .pdf, .rtf, .txt, and .odt. Tools like GammaSteel and QuietSieve enumerate and exfiltrate files matching target extensions (T1025). The group also captures screenshots, keystrokes, and peripheral device data (T1120). Exfiltration occurs over HTTP/HTTPS (T1071.001) to rapidly rotating infrastructure.

Infrastructure Management — Gamaredon operates massive infrastructure with thousands of domains, using fast-flux DNS (T1568.002) to rapidly rotate IP addresses. The group registers domains through specific registrars and uses Cloudflare DNS services. Domains typically use dynamic DNS providers or are registered with short lifespans and rotated frequently, complicating blocklisting efforts.

Tools & Malware

• Pterodo (Pteranodon) — Primary backdoor family with numerous variants, providing remote command execution, file download/upload, screenshot capture, and keylogging. Written in VBS and PowerShell, continuously updated to evade detection.
• GammaLoad — VBS-based downloader that establishes initial C2 communication and downloads next-stage payloads. Deployed through phishing documents and template injection.
• GammaSteel — PowerShell-based information stealer targeting documents, browser data, and system information. Enumerates drives and exfiltrates files matching targeted extensions.
• QuietSieve — .NET-based information stealer focusing on document collection from removable drives and network shares. Includes screenshot capture and clipboard monitoring.
• LitterDrifter — VBS USB worm that creates hidden LNK files on removable drives to spread between systems. Features a simple C2 module using Telegram or custom servers for command retrieval.
• SickSync — Modified Syncthing tool repurposed for covert file exfiltration, synchronizing targeted directories to attacker-controlled infrastructure.
• PowerPunch — PowerShell downloader and reconnaissance tool used in early-stage infection chains to profile targets before deploying primary implants.
• ObfuMerry — Obfuscation wrapper used to protect VBS and PowerShell payloads from static analysis, updated frequently with new obfuscation patterns.

Indicators & Detection

Phishing Detection — Gamaredon's volume-based approach means robust email filtering is critical. Monitor for documents with remote template references to suspicious URLs (template injection). Block macro execution in documents from untrusted sources. Detect password-protected archives containing LNK or script files. Flag emails from compromised Ukrainian government domains arriving unexpectedly.

Script Execution Monitoring — Gamaredon heavily relies on VBScript and PowerShell. Enable and monitor Script Block Logging, Module Logging, and Transcription in PowerShell. Alert on wscript.exe and cscript.exe execution with network connections. Detect suspicious scheduled task creation and registry run key modifications referencing script files in temp directories.

USB & Removable Media Controls — LitterDrifter spreads through USB drives. Implement removable media policies, monitor for autorun-related registry modifications, and detect creation of hidden LNK files on removable drives. Alert on USB drive enumeration by scripting engines.

Infrastructure-Based Detection — Gamaredon's fast-flux DNS infrastructure is a reliable indicator. Monitor DNS queries to known dynamic DNS providers associated with the group (e.g., ddns.net, hopto.org, servegame.com). Detect high-frequency DNS changes and connections to recently registered domains. Maintain updated threat intelligence feeds that track Gamaredon's rapidly rotating C2 domains.

File System Monitoring — Detect mass file enumeration targeting document extensions (.doc, .docx, .pdf, .xls). Monitor for Office template modification (Normal.dotm) and unexpected macro insertion. Alert on Syncthing or similar synchronization tool installations that were not authorized by IT administration.