Today, the Symantec Threat Hunter Team reported that the Russian-linked cyber group Shuckworm, also known as Gamaredon or Armageddon, is continuing a cyber campaign against Ukrainian organizations. 

The group, first formed in 2014, has long focused its attacks on Ukraine, using living-off-the-land techniques to steal user credentials, gain access to enterprise networks, and achieve lateral movement. 

In fact, last year, the SSU Cyber Security Department’s research highlighted that the group has perpetuated over 5,000 cyberattacks against public authorities and critical infrastructure targets throughout the country. 

While these attacks are primarily focused on Ukrainian organizations, the techniques deployed by the attackers could easily be used to breach the internal systems of other enterprises across the globe. 

How Shuckworm gathers intelligence 

Phishing emails are one of the core tools that Shuckworm uses to target Ukrainian organizations. The attackers click uses into clicking on malicious links and attachments to trick them into distributing remote access tools like Remote Manipulation System (RMS) and UltraVNC, or customized malware called Pterodo/Pteranodon to targets. 

More recently, the group has also begun deploying multiple malware payloads to targeted computers. 

“These payloads are usually different variants of the same Pterodo malware designed to perform similar tasks. Each will communicate with a different command-and-control (C&C) server. The most likely reason the group is using multiple variants is that it may provide a rudimentary way of maintaining persistence on an infected computer,” said Brigid O Gorman, senior intelligence analyst for the Symantec Threat Hunter Team. 

“If one payload or C&C server is detected and blocked, the attackers can fall back on one of the others and roll out more new variants to compensate,” Gorman said. 

What organizations need to do to protect themselves 

Although Shuckworm is exclusively focusing on Ukrainian targets, other attackers can take inspiration from the techniques used by the group and apply them to international enterprise targets to gain access to protected information. 

Gorman thus recommends organizations should use a mixture of detection, protection and hardening technologies to mitigate risks in the potential attack chain. 

They should also monitor the use of dual-use tools, update to the latest version of PowerShell, and implement auditing of administrative account usage. 

“Organizations could also introduce one-time credentials for administrative work to help prevent theft and misuse of admin credentials. We’d also suggest creating profiles of usage for admin tools. Many of these tools are used by attackers to move laterally undetected through a network. Across the board, MFA can help limit the usefulness of compromised credentials,” Gorman said.