Attacks by Russian state-sponsored hacking operation Gamaredon against Ukraine's military and government entities have further intensified as Russia combats Ukraine's counteroffensive operations, according to The Record, a news site by cybersecurity firm Recorded Future.
Cyberespionage and data exfiltration were the key objectives of Gamaredon in its ramped-up intrusions against Ukraine, which involved the utilization of attack infrastructure that consisted of newly registered domains and subdomains, a report from Ukraine's National Coordination Center for Cybersecurity revealed.
Aside from leveraging malware that facilitates domain name retrieval from Telegram, Telegraph, and Cloudflare that has prompted Ukraine to consider limiting the use of the former two services, Gamaredon has also been utilizing stolen documents to impersonate legitimate entities in their phishing campaigns.
The NCCC also noted that Gamaredon's continuous malware toolkit improvements and escalating attacks against Ukraine indicate expanded operations.
"The alignment of their activities with critical military events amplifies the group's potential impact," said the report.
Impacted by different levels of log disruption were Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform, according to Microsoft.
Attacks involved the display of fraudulent Google Meet popup alerts, which would download the StealC or Rhadamanthys infostealers for Windows users and the AMOS Stealer payload for macOS users, according to a Sekoia analysis.
Malicious spear-phishing messages have been leveraged by RomCom to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan.