New evidence suggests that the Russia-linked threat actor Gamaredon is a hack-for-hire group that offers its services to other advanced persistent threat (APT) actors, similar to crimeware gangs, according to security researchers with Cisco’s Talos division.
Also referred to as Primitive Bear and active since at least 2013, the threat actor has been long associated with pro-Russia activities, showing a focus on Ukrainian targets. However, the group targets victims worldwide for espionage purposes and is not as stealthy as other major APT actors.
Despite being exposed several times in the past, the group has continued operations unhindered, gathering information on intended targets and sharing the data with other units, likely more advanced threat actors. In addition to offering services to these APTs, however, the gang is conducting its own, separate activity as well.
The tactics, techniques and procedures (TTPs) employed by Gamaredon, Talos says, are commonly observed in the crimeware world, and include the use of trojanized installers, self-extracting archives, spam emails with malicious payloads, template injection, and the like.
Furthermore, the group operates an infrastructure of more than 600 active domains that are used as command and control (C&C) for the first stage, which deploys the second stage payloads and updates both stages when needed.
“APT groups are often associated with focused, high-impact activities with extremely small footprints leading to an extremely stealthy activity that’s hard to detect. However, Gamaredon is the opposite of that — though it’s still considered an APT actor,” Talos explains.
One of the most active and undeterred actors, Gamaredon doesn’t show the same fluency and techniques that more advanced operations employ, but there’s also no indicator that the group profits off the information stolen from victims.
According to Cisco’s researchers, the group’s modus operandi resembles that of second-tier APTs that pass critical information to top-tier units, operating as a service provider for more advanced APTs. However, it also engages in side jobs and takes special care to avoid certain IP addresses — in one campaign Cisco observed roughly 1,700 IP addresses from 43 different countries.
Despite the lack of high level technical expertise, the threat actor clearly has capability (given the size of its infrastructure), shows dedicated development effort to add new capabilities and features, and continues to be active to date, with the latest activity observed in February 2021.
Gamaredon might not necessarily be a state-sponsored actor, but instead working for whoever pays the most. However, the group could still be considered an APT — given its specific interest in Ukraine and lack of attempts to monetize stolen data — but has a diverse level of targeting and an almost crimeware-like approach.
“This group has targeted a major bank in Africa, U.S. educational facilities, European telecommunications and hosting providers. The seemingly specific victimology of Gamaredon is thrown into doubt, as we have uncovered a myriad of different vertices, not limited to the above mentioned, and seemingly with a widespread approach that goes beyond only Ukraine,” Talos notes.
Thus, the researchers consider Gamaredon a second-tier APT, which provides breach services to tier-one actors, in a manner similar to what happens in the cybercrime scene. Furthermore, the group lacks the sophistication of others and often has bad OPSEC or makes amateurish mistakes that result in their operations being exposed.
“We believe that challenging the status quo on Gamaredon and others that could fit the previous definition, is beneficial as a whole. It will help organizations better understand the threats that they must focus their resources on. The fact remains Gamaredon remains a notoriously prolific group operating without any constraints on a globally impacting level,” Talos concludes.