Ukraine’s leading law enforcement and counterintelligence agency has revealed the identities of five individuals allegedly involved in a series of digital intrusions tied to a cyber-espionage group known as Gamaredon, with connections to Russia’s Federal Security Service (FSB). This disclosure highlights the agency’s ongoing efforts to combat cyber threats directed at Ukraine.
The Security Service of Ukraine (SSU) has described the hacker group as “an FSB special project, specifically targeting Ukraine.” The agency states that these individuals are “officers of the ‘Crimean’ FSB and defectors who sided with hostile forces following the 2014 occupation of the peninsula.” This characterization emphasizes the geopolitical context underpinning their actions.
The SSU has identified the alleged perpetrators as Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych. These individuals are implicated in a series of malicious activities that have come to define the Gamaredon threat landscape.
Since its emergence in 2013, the Russia-affiliated Gamaredon group, also known as Primitive Bear or Armageddon, has conducted numerous phishing campaigns aimed at Ukrainian institutions. The group’s goal appears focused on exfiltrating sensitive data from compromised Windows systems for geopolitical advantage, reinforcing the importance of cybersecurity in the region.
The Gamaredon group is estimated to have executed at least 5,000 cyberattacks against Ukrainian public authorities and critical infrastructure. Their targeting has primarily focused on security, defense, and law enforcement agencies, aiming to acquire intelligence for malicious purposes. ESET, a cybersecurity firm, noted that unlike other Advanced Persistent Threat (APT) groups, Gamaredon appears unconcerned with operational stealth. Instead, their methods prioritize rapid deployment within target networks to extract data.
Gamaredon utilizes a wide array of social engineering tactics as one of its primary intrusion vectors. The group has also developed an assortment of tools designed to breach organizational defenses, employing programming languages such as VBScript, C#, and PowerShell, and utilizing various command shells. This multi-faceted approach underscores the sophistication of their operations.
At the forefront of their malware arsenal is the Pterodo, a remote administration tool capable of executing functions such as keystroke logging, stealthy data collection, and remote access. This tool, along with a .NET-based file stealer targeting specific document types, exemplifies the technical capabilities that enable the group’s operations. Furthermore, they are known to deploy malicious payloads via removable media to further infiltrate networks and siphon sensitive data.
The SSU emphasizes its commitment to countering Russian cyber aggression, declaring that established connections between this group and the FSB are of grave concern for the security of Ukraine’s state infrastructure. This latest identification of key figures within the threat actor highlights the necessity for continuous vigilance against cyber threats.