Security News > 2022 > December > Russian Hackers Targeted Petroleum Refinery in NATO Country During Ukraine War

The Russia-linked Gamaredon group attempted to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war.

The attack, which took place on August 30, 2022, is just one of multiple attacks orchestrated by the advanced persistent threat that's attributed to Russia's Federal Security Service.

Gamaredon, also known by the monikers Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has a history of primarily going after Ukrainian entities and, to a lesser extent, NATO allies to harvest sensitive data.

The attacks themselves entail the delivery of weaponized attachments embedded within spear-phishing emails to deploy a VBScript backdoor on the compromised host that's capable of establishing persistence and executing additional VBScript code supplied by the C2 server.

Gamaredon infection chains have also been observed leveraging geoblocking to limit the attacks to specific locations along with utilizing dropper executables to launch next-stage VBScript payloads, which subsequently connect to the C2 server to execute further commands.

The geoblocking mechanism functions as a security blindspot as it reduces the visibility of the threat actor's attacks outside of the targeted countries and makes its activities more difficult to track.

News URL

https://thehackernews.com/2022/12/russian-hackers-target-major-petroleum.html