Threat Intelligence Tarot
swords · 7
Russia (FSB - Crimean officers)
G0047★★★★★
risk 3/5
✦ The Hunger ✦
Gamaredon
Shuckworm · Armageddon · ACTINIUM · UAC-0010 · Primitive Bear
Ukraine governmentUkrainian militaryUkrainian NGOsSecurity researchers
Active since ~2013 · Ukraine-focused espionage, Military intelligence, Volume-based persistent infection
Other Russian APTs are surgical. Gamaredon is ravenous. It floods Ukraine with malicious documents by the thousands - spray-and-pray volume phishing that relies on saturation rather than precision. A few always open. The Hunger is always fed.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Continuous Ukraine targeting since 2014 annexation of Crimea
- ◆Pterodo/Pteranodon backdoor family deployment
- ◆Ukrainian military credential harvesting operations (2022)
- ◆Post-invasion surge: thousands of phishing attacks per week (2022)
Defenses
- ▸Anti-phishing training focused on conflict-themed luresNIST SP 800-50 ↗
- ▸Disable macros and script execution from email attachmentsCIS Control 9 ↗
- ▸Ukrainian CERT-UA indicators integration into SIEMNIST CSF: DE.AE ↗
- ▸Endpoint protection with behavioral script detectionCIS Control 10 ↗
Reversed: Their Weakness
Gamaredon's high-volume, low-sophistication approach made it one of the most thoroughly documented Russian APT groups. The sheer number of samples gave Ukrainian CERT and Western researchers deep visibility into its tooling and infrastructure.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.