Full Report
The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel. The group targeted the military mission of a Western country, per the Symantec Threat Hunter team, with first signs of the malicious activity detected on
Analysis Summary
# Incident Report: Gamaredon Attack on Western Military Mission via Removable Media
## Executive Summary
The Russia-linked threat actor Gamaredon (Shuckworm) executed a cyber espionage operation targeting a foreign military mission in Ukraine, initiating compromise via an infected removable drive. The attack deployed a multi-stage malware chain culminating in the deployment of GammaSteel, an information stealer, allowing the threat actor to exfiltrate system metadata and documents from the victim environment.
## Incident Details
- Discovery Date: February 26, 2025 (First signs of malicious activity detected)
- Incident Date: Initiated on or around February 26, 2025
- Affected Organization: Military mission of a Western country
- Sector: Military / Government
- Geography: Ukraine
## Timeline of Events
### Initial Access
- Date/Time: Detected starting February 26, 2025
- Vector: Infected removable drive (USB/external media).
- Details: Attack began with the creation of a Windows Registry value under the UserAssist key, followed by launching `mshta.exe` via `explorer.exe` to start the infection chain.
### Lateral Movement
- Date/Time: Ongoing post-infection, noted March 1, 2025.
- Details: A secondary file created during the initial infection chain was designed to infect any connected **removable drives and network drives** by creating malicious shortcut files (`.lnk`) that execute `mshta.exe`, facilitating secondary infections.
### Data Exfiltration/Impact
- Date/Time: March 1, 2025 (First systematic exfiltration began)
- Details: Initial C2 contact (March 1) involved exfiltrating system metadata. Subsequently, an improved version of the GammaSteel information stealer was deployed to exfiltrate files based on an extension allowlist specifically from the **Desktop and Documents folders**.
### Detection & Response
- Detection: Not explicitly detailed, but Symantec Threat Hunter team identified the malicious activity starting February 26, 2025.
- Response Actions: (Details proprietary, but the analysis and reporting by Symantec suggest awareness was gained shortly after the activity began or shortly after the initial stages completed).
## Attack Methodology
- Initial Access: Infected Removable Drive (via autorun imitation or user execution).
- Persistence: Established via creation of malicious files and Registry modifications.
- Privilege Escalation: Not explicitly detailed, but bypassing local security measures was achieved to execute payloads.
- Defense Evasion: Leveraging legitimate services (Teletype, Telegram, Telegraph) for C2 communication and using obfuscation techniques on subsequent PowerShell scripts to lower detection risk.
- Credential Access: Not explicitly mentioned, focus was on reconnaissance and file theft.
- Discovery: Initial reconnaissance script captured system metadata, security software details, file/folder listings (Desktop), and running processes.
- Lateral Movement: Spreading malware via created shortcut files on connected removable and network drives.
- Collection: Reconnaissance scripts gather system data; GammaSteel specifically collects files from Desktop and Documents folders based on an extension allowlist.
- Exfiltration: C2 communication established via URLs linked to legitimate services; data exfiltrated upon C2 command.
- Impact: Information theft and espionage via the GammaSteel malware.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: System metadata and potentially sensitive files from the Desktop and Documents folders of compromised hosts.
- Operational: Disruption due to system compromise; the use of native tools (PowerShell, mshta.exe) suggests an attempt to blend in with normal operations.
- Reputational: Potential damage to organizational security posture given the target was a sensitive military mission.
## Indicators of Compromise
*Note: The C2 method relies on legitimate services, making traditional IP/URL IoCs less useful.*
- Network indicators: Communications to specific URLs associated with Teletype, Telegram, and Telegraph (used as C2 channels).
- File indicators: Files named `NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms` and `NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms`.
- Behavioral indicators: Execution of `mshta.exe` initiated by `explorer.exe` following external drive connection; creation of malicious shortcut files (.lnk) on drives.
## Response Actions
- Containment: Not explicitly detailed, but implied analysis of malware and network traffic was necessary to understand the scope.
- Eradication steps: Removal of malicious registry entries, scripts, and the re-imaging of infected systems would be necessary.
- Recovery actions: Restoring systems and potentially reviewing any data exfiltrated based on the GammaSteel functionality.
## Lessons Learned
- **Physical Vector Persistence:** Removable media remains a viable and effective initial access vector, especially against high-value targets where email filters might be robust.
- **Evolution in Tradecraft:** Gamaredon (Shuckworm), though generally considered less advanced than other Russian actors, is actively improving its techniques by increasing code obfuscation and leveraging legitimate web services for C2.
## Recommendations
- Strictly enforce policies regarding the use of unvetted removable media, potentially implementing write-protection or banning use entirely on sensitive networks.
- Enhance endpoint detection and response (EDR) capabilities to monitor for unusual execution chains involving `mshta.exe` initiated via `explorer.exe`, especially in conjunction with device mounting events.
- Implement detailed network monitoring to detect command-and-control beaconing behavior towards known legitimate services like Telegram/Teletype if traffic patterns deviate from expected authorized use.