New Report Reveals Shuckworm's Long-Running Intrusions on Ukrainian Organizations
15.6.23  BigBrothers  The Hacker News
Shuckworm hackers
The Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments.

Targets of the recent intrusions, which began in February/March 2023, include security services, military, and government organizations, Symantec said in a new report shared with The Hacker News.

"In some cases, the Russian group succeeded in staging long-running intrusions, lasting for as long as three months," the cybersecurity company said.

"The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more."

Shuckworm, also known by the names Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is attributed to the Russia's Federal Security Service (FSB). It's said to be active since at least 2013.

The cyber espionage activities consist of spear-phishing campaigns that are designed to entice victims into opening booby-trapped attachments, which ultimately lead to the deployment of information stealers such as Giddome, Pterodo, GammaLoad, and GammaSteel on infected hosts.

"Iron Tilden sacrifices some operational security in favor of high tempo operations, meaning that their infrastructure is identifiable through regular use of specific Dynamic DNS providers, Russian hosting providers, and remote template injection techniques," Secureworks notes in its profile of the threat actor.

In the latest set of attacks detailed by Symantec, the threat actors have been observed using a new PowerShell script to propagate the Pterodo backdoor via USB drives.

While Shuckworm's use of Telegram channels to retrieve the IP address of the server hosting the payloads is well documented, the threat actor is said to have expanded the technique to store command-and-control (C2) addresses on Telegraph, a blogging platform owned by Telegram.

Also used by the group is a PowerShell script ("foto.safe") that's spread through compromised USB drivers and features capabilities to download additional malware onto the host.
A further analysis of intrusions shows that the adversary managed to breach the machines of human resources departments of the targeted organizations, suggesting its attempts to glean information about various individuals working at those entities.

The findings are yet another indication of Shuckworm's continued reliance on short-lived infrastructure and its ongoing evolution of tactics and tools to stay ahead of the detection curve.

They also arrive a day after Microsoft shed light on destructive attacks, espionage, and information operations carried out by another Russian nation-state actor known as Cadet Blizzard targeting Ukraine.

"This activity demonstrates that Shuckworm's relentless focus on Ukraine continues," Symantec said. "It seems clear that Russian nation-state-backed attack groups continue to laser in on Ukrainian targets in attempts to find data that may potentially help their military operations."