Nearly-a-decade-old advanced persistent threat (APT) group Actinium/Gamaredon seemed to have gained a new lease on life as they recently resurfaced to target several Ukrainian organizations.1
Using 151 domains identified as indicators of compromise (IoCs) by three cybersecurity firms—Microsoft Security,2 Palo Alto Networks,3 and Symantec4—as jump-off points, our deep dive allowed us to build detailed threat research materials that revealed:
- The domain IoCs resolved to several unique IP addresses, one of which was dubbed “dangerous” by various malware engines.
- Hundreds of domains either shared IP hosts or a registrant email address with the domain IoCs, 20% of which were found to be malicious.
- Several of the newly discovered artifacts had various Secure Sockets Layer (SSL), WHOIS, and nameserver issues and misconfigurations that could render them vulnerable to compromise.
Download the threat research materials now to access the complete list of identified artifacts used to conduct additional enrichment and threat analysis as well as trend identification.
-  https://www.darkreading.com/attacks-breaches/russian-apt-steps-up-malicious-activity-in-ukraine
-  https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/
-  https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/#gamaredon-downloader-infrastructure
-  https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine