Gamaredon, the world’s most dangerous hacking for-hire group

Advanced Persistent Threat (APT) groups remain the main objects of study of cybersecurity agencies and firms. One of the groups that have caught the most attention of these agencies is Gamaredon, a hacking group with links to the Russian government and recognized for offering its services to other APT groups.

Also identified as Primitive Bear, this group has been active since at least 2013 and could be detected in multiple cyberattacks against Ukraine’s critical infrastructure; this is not to say that Gamaredon has not been detected in other incidents around the world.

Although the activities of this hacking group have been widely documented this APT continues to operate without restriction, collecting all kinds of information about its potential objectives and sharing these reports with other advanced hacking groups. On the attack methods employed by Gamaredon, Cisco Talos experts mention that this group bases its operations on the deployment of crimeware, a variant of malware specially developed for the execution of financial crimes on online computer systems.

Experts mention that these hackers have more than 600 active domains used as C&C servers for the first stage of the attack and deploy the payloads of the second stage: “APT groups are often associated with high-impact malicious activities, creating highly difficult-to-detect networks of activity,” the Talos report adds.

One of the most attractive features of Gamaredon is that this group does not seem to get a direct benefit from the information injection of its victims, which led Cisco Talos to infer that the main objective of this group is to share critical information with other hacking groups. Experts do not rule out Gamaredon also performing operations more directly.

Although they have rarely been identified as major operators of complex hacking campaigns, experts are clear that Gamaredon is a highly advanced cybercriminal effort: “It may be a misreaction to think that Gamaredon is a group sponsored by the Russian government, as these hackers simply collaborate with the person who covers the cost for their services,” the report states.

Cisco Talos sees Gamaredon as a “second-tier” APT, a category for specialized cybercrime groups not linked to national states: “Gamaredon remains a highly prolific group that operates unrestricted at a global level, so the risks associated with these campaigns must be taken with absolute seriousness.”

To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.