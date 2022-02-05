The Microsoft Threat Intelligence Center (MSTIC) has shared new details on a threat group named ACTINIUM, also known as Gamaredon, that continues to target organizations in Ukraine or entities related to Ukrainian affairs.

Microsoft security researchers have observed the threat group operating out of Crimea with objectives consistent with cyber espionage. ACTINIUM has been publicly attributed to the Russian Federal Security Service (FSB) by the Ukrainian government.

The threat group has been targeting Ukrainian entities spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations.

According to Microsoft, since October 2021, ACTINIUM or Gamaredon has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as the entities involved in coordinating the distribution of international and humanitarian aid to the country in a crisis.

In a blog post on Friday, Microsoft shared some of its most consistent and notable observations. While ACTINIUM's tactics are constantly evolving, pear-phishing emails with malicious macro attachments is one of the access vectors most used by the threat group.

According to the researchers, phishing using remote templates helps attackers to evade static detections. Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.

The security researchers also saw ACTINIUM utilizing over 25 new unique domains and over 80 unique IP addresses in a single 30-day snapshot, suggesting that they frequently modify or alter their infrastructure.

The threat group was also seen deploying tools such as "Pterodo" to gain interactive access to target networks as well as UltraVNC, an open-source remote desktop application, to enable a more interactive connection to a target.

Microsoft said it has already shared this information with Ukrainian authorities.