Researchers detail Russia-linked group’s cyber-espionage tactics in Ukraine

Symantec looks at how the spies use infected Microsoft Word attachments to implant backdoor files allowing for the delivery of more malware.
Russian flag
Two pedestrians walk past a Russian flag in Moscow on November 4, 2021. (Photo by YURI KADOBNOV / AFP via Getty Images)

Researchers at Symantec say they have identified some of the specific tactics used by a Russia-linked hacking operation that Ukraine’s government outed in November of last year.

The cyber-espionage group, commonly labeled as Gamaredon or Armageddon, is known for using phishing emails to try to install remote access tools on victims’ computers, with the goal of exfiltrating data. Symantec’s Threat Hunter Team published a blog post Monday explaining how the spies used infected Microsoft Word attachments in mid-2021 to implant backdoor files allowing for the delivery of more malware.

The researchers don’t specify who was targeted in their case study. The goal is to highlight the tactics, techniques and procedures (TTP) in question, especially if the Russia-Ukraine conflict boils over in the coming weeks, they say.

“We do not expect to see reemergence of these TTPs until just prior or during active conflict,” the team told CyberScoop.


As tensions between Ukraine and Russia ramped up in late 2021, the Security Service of Ukraine published a detailed analysis linking Gamaredon to Russia’s Federal Security Service (FSB), including recordings of the hackers discussing attacks in real-time.

The Symantec case study tracks an infection on July 14, 2021, that installed a backdoor known as Pterodo. Afterward, the attackers continued “to install variants of their backdoor and execute commands via scripts to ensure persistence.” Within two weeks, Gamaredon installed a “dropper” that downloaded a virtual network computing (VNC) file, which appeared to be “the ultimate payload for this attack,” the researchers say.

The VNC file allowed the attackers to poke around on the compromised machine and potentially exfiltrate information ranging from “job descriptions to sensitive information pertaining to the targeted organization,” the researchers say.

The Symantec team notes that nearly all the suspected malicious files begin with the letter “d,” such as deceive.exe, decide.exe, decipher.exe, deep-sunken.exe and deep-vaulted.exe.

The command-and-control servers for the malware “belong to the short list of hosting providers listed in the SSU report,” the researchers say.


Cyberthreat hunters say Gamaredon has been active since at least 2013. Symantec, a division of Broadcom Software, refers to the hacking group as Shuckworm.

Recent reports about purported Russian cyber-activity against Ukraine include defacements of Ukrainian government websites, and malware that wiped dozens of government computer systems there. Diplomatic efforts to de-escalate the tensions are expected to continue Monday, as Russia masses military forces on Ukraine’s borders.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts