New Report Reveals Shuckworm’s Longstanding Intrusion on Ukrainian Organizations
The Russian threat actor is known as Earthworms has continued cyberattacks against Ukrainian entities in an attempt to steal sensitive information from compromised environments.
The targets of the recent infiltration, which started in February/March 2023, include the security services, military, and government organization, Symantec said in a new report shared with The Hacker News.
“In some cases, Russian groups managed to carry out long-term intrusions, lasting as long as three months,” the cybersecurity firm said.
“The attackers repeatedly attempted to access and steal sensitive information such as reports on Ukrainian service member deaths, reports of enemy engagements and airstrikes, armory inventory reports, training reports, and more.”
Shuckworm, also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is associated with the Russian Federal Security Service (FSB). Said to be active since at least 2013.
Cyber espionage activities consist of spear-phishing campaigns designed to lure victims into opening booby-trapped attachments, ultimately leading to the spread of information thieves such as Giddome, Pterodo, GammaLoad, and GammaSteel on infected hosts.
“Iron Tilden sacrificed some operational security for high-tempo operations, meaning that their infrastructure was identifiable through regular use of specific Dynamic DNS providers, Russian hosting providers, and remote template injection techniques,” Secureworks notes in his threat actor profile.
In the latest series of attacks detailed by Symantec, a collective of adversaries have been observed using a new PowerShell script to deploy Pterodo backdoors via USB drives.
While Shuckworm’s use of Telegram channels to retrieve the IP addresses of servers hosting payloads is well documented, threat actors are said to have developed techniques to store command-and-control (C2) addresses on Telegraph, a blogging platform owned by Telegram.
Also used by the group are PowerShell scripts (“foto.safe”) propagated via compromised USB drivers and the feature’s ability to download additional malware to the host.
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Further analysis of the intrusion shows that the adversary managed to penetrate the human resources department machines of the targeted organization, suggesting its attempts to gather information on various individuals working in the entity.
These findings are yet another indication of Shuckworm’s continued reliance on short-lived infrastructure and the continued evolution of tactics and tools to stay ahead of the detection curve.
They also arrive a day after Microsoft disclosed destructive attacks, espionage and information operations by another Russian nation-state actor known as Cadet Blizzard targeting Ukraine.
“This activity demonstrates that Shuckworm’s relentless focus on Ukraine continues,” said Symantec. “It seems clear that Russian state-backed attack groups are continuing to attack Ukrainian targets in an attempt to find data that could potentially aid their military operations.”
