Computer Emergency Response Team of Ukraine (CERT-UA) has published a technical analysis of cyber-espionage attacks against Ukraine by the Kremlin-linked threat actor Gamaredon.

According to the Ukrainian cyber defenders, Gamaredon (aka Armageddon, UAC-0010, Shuckworm) may have infected several thousands of government computers as part of the group’s operations since the start of Russia’s invasion. Furthermore, the threat actor appears to have carried out at least one destructive attack against Ukrainian information infrastructure facilities.

The initial infection vectors used by the threat actors include emails and messages sent via messaging services like Telegram, WhatsApp, or Signal. The messages typically contain an HTM or HTA file that, when opened, activates the infection chain.

Once the victim opens the malicious attachments, PowerShell scripts and malware (most often the “GammaSteel” information stealer) are downloaded and executed on the victim's device.

Upon gaining initial access, the threat actor proceeds to exfiltrate files, typically within a timeframe of 30 to 50 minutes. The infected computer can contain more than 80-120 infected files, and the attackers can re-infected a computer if at least one malicious file remains on the machine, CERT-UA notes.

Last month, Gamaredon was observed targeting government entities, and organizations in Ukraine's military and security intelligence sectors, using updated malware tools.