Gamaredon Ukraine Persistent Access Campaign
Russian FSB Gamaredon group persistent access campaign against Ukrainian government, military and critical infrastructure organisations. Most prolific Russian actor targeting Ukraine with thousands of spearphishing attempts per week. Uses custom PTERODO backdoor and USB propagation.
Start date
1 January 2022
End date
—
Techniques
20
Attributed actors
Techniques (20)
collection2
T1005Data from Local System
T1113Screen Capture
command-and-control3
T1102.002Bidirectional Communication
T1105Ingress Tool Transfer
T1071.001Web Protocols
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution3
T1059.003Windows Command Shell
T1059.001PowerShell
T1053.005Scheduled Task
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access4
T1566.002Spearphishing Link
T1078Valid Accounts
T1566.001Spearphishing Attachment
T1091Replication Through Removable Media
lateral-movement1
T1091Replication Through Removable Media
persistence3
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1053.005Scheduled Task
privilege-escalation4
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1055Process Injection
T1053.005Scheduled Task
stealth5
T1078Valid Accounts
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1055Process Injection
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.