[TheRecord] Ukraine discloses identity of Gamaredon members, links it to Russia’s FSB

The Ukrainian Security Service (SSU) has revealed today the real identities of five members of the Gamaredon cyber-espionage group, linking its members to the Crimean branch of the Russian Federal Security Service (FSB).

Officials said the group —which the SSU tracks internally as Armageddon but is more widely known in cybersecurity circles as Gamaredon— operated from the city of Sevastopol, Crimea, but acted on orders from the FSB Center for Information Security (also known as “Center 18”) in Moscow, a known hub for the FSB’s cyber operations.

Five members were identified by name and position and the SSU said it sent them “notices of high treason”:

Chernykh Mykola Serhiiovych (head of the 4th section of SCO of the FSB Sevastopol branch)Sklianko Oleksandr Mykolaiovych (deputy chief of the 4th section of SCO of the FSB Sevastopol branch)Starchenko Anton Oleksandrovych (officer of the 4th section of SCO of the FSB Sevastopol branch)Sushchenko Oleh Oleksandrovych (officer of the 4th section of SCO of the FSB Sevastopol branch)Miroshnychenko Oleksandr Valeriiovych (officer of the 4th section of SCO of the FSB Sevastopol branch)

“They were officers of the ‘Crimean’ FSB, as well as traitors who sided with the enemy during the occupation of the peninsula in 2014,” the SSU said today in a press release.

Image: SSU

To support parts of its claims, the SSU also published a phone conversation between two of the Gamaredon members regarding an attack they were carrying out, in what amounts to a rare piece of evidence that rarely gets unsealed and released to the public in investigations like these.

Although previous reports from multiple cyber-security companies have linked the group to a suspected Russian government entity, today’s SSU press release marks the first time that the Gamaredon group has been linked to the FSB.

One of the most active groups targeting Ukraine

Known as Gamaredon (Eset, PaloAlto), Primitive Bear (CrowdStrike), Winterflouder (iDefence), BlueAlpha (RecordedFuture), BlueOtso (PWC), IronTiden (SecureWorks), SectorC08 (Red Alert), and Callisto (NATO Association of Canada), the group began operations in June 2013, just months before Russia forcibly annexed the Crimean Peninsula from Ukraine.

Since that time, the SSU says the group has carried out more than 5,000 cyberattacks against more than 1,500 Ukrainian government systems.

“The main purpose of its activity is to conduct targeted cyberintelligence operations against state bodies of Ukraine, primarily security, defense and law enforcement agencies, in order to obtain intelligence information,” the SSU said in a 35-page technical report [PDF] that accompanied its press release.

The SSU report describes past Gamaredon attacks with terms such as “intrusiveness and audacity” and suggesting that the group had not been focused on staying “secret for a long time.”

The post Ukraine discloses identity of Gamaredon members, links it to Russia’s FSB appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Russian Hackers Use New ‘SkinnyBoy’ Malware in Attacks on Military, Government Orgs

All posts, Security Week

The Russia-linked threat group known as APT28 has been observed using a new backdoor in a series of attacks targeting military and government institutions, researchers with threat intelligence company Cluster25 reveal. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[HackerNews] Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

All posts, HackerNews

A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang. Dubbed “Diicot brute,” the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own […]

Read More

[BleepingComputer] Windows CVE-2021-40444 defenses bypassed as new info emerges

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor’s ultimate goal of taking over corporate networks. […] Source: Read More (BleepingComputer)

Read More