Cyber Threat Actor: Gamaredon
| Actor Type | Location | Known Incidents |
Nation State
|
Russia
|
1 incident |
|---|
Profile
Gamaredon, also tracked as Primitive Bear and UAC‑0046, is a threat actor publicly linked to Russia and observed conducting cyber operations against Ukrainian targets. The group’s activities have been described as cyber‑espionage with elements of disruption, including digital attacks on physical infrastructure and field hardware such as artillery, alongside the collection of system data from compromised machines for further command‑and‑control instructions. Its focus has consistently been on Ukrainian governmental institutions, military and security organizations, diplomatic entities, law‑enforcement agencies, journalists, non‑governmental organizations and the Ministry of Foreign Affairs, reflecting a strategic interest in gathering intelligence and influencing the national security environment of Ukraine.
The actor’s typical tactics involve the use of custom malware families such as Pterodo and its variant Pteranodon, which are delivered through self‑extracting archives (SFX) often masquerading as legitimate software or RTF documents. Initial access is frequently achieved via spear‑phishing emails containing weaponized documents that employ template injection techniques to download malicious .dot files, which then execute VBA macros that write VBScript to the startup folder and retrieve encrypted payloads from dynamic DNS domains. The malware incorporates .NET components, obfuscated Excel and Word macro execution, fake Microsoft digital certificates, and leverages Nginx forwarders to relay traffic from infected hosts. Persistence is established through startup‑folder LNK symlinks, scheduled tasks that run every 30‑32 minutes, and the use of hard‑coded passwords to extract nested archives. The group’s tooling shows a reliance on chained SFX structures, Matryoshka‑style payloads, and language‑based activation checks that limit execution to systems with localized settings for former Soviet states.
Notable operations include a sustained campaign from September to November 2019 that targeted the Ukrainian Ministry of Foreign Affairs and other governmental bodies, during which more than five thousand unique Ukrainian entities were reportedly affected. In April 2019, a separate operation used a fake RTF/SFX lure purporting to be a “State of the Armed Forces of Ukraine” document to deploy the Pteranodon implant against military personnel. Earlier, in November 2018, CERT‑UA and Ukraine’s Foreign Intelligence Service detected a new Pterodo backdoor variant targeting Ukrainian government agencies, highlighting the group’s long‑standing use of this malware family since at least 2013. These examples illustrate Gamaredon’s persistent focus on espionage‑oriented intrusion, its evolving toolset, and its alignment with Russian state‑linked interests in the Ukrainian theater.
