Shuckworm Espionage Group Attack Detection: russia-backed Threat Actors Repeatedly Attack Ukrainian Military, Security, and Government Organizations

Since russia’s full-scale invasion of Ukraine, the aggressor’s offensive forces have launched an avalanche of cyber-espionage campaigns against Ukraine and its allies, mainly targeting government agencies and frequently leveraging the phishing attack vector. The infamous hacking collective dubbed Shuckworm (Armageddon, Gamaredon), which is known to have links with russia’s FSB, has been observed behind a series of attacks against Ukrainian state bodies since at least 2014, mainly launching targeted cyber-intelligence operations aimed at intelligence gathering. Cybersecurity researchers have recently noticed a surge in the group’s malicious activity, with security services organizations, military and government agencies being the current primary targets.

Detect Shuckworm’s Espionage Campaigns

The persistent and focused cyber-espionage campaigns attributed to russia’s nefarious hacking collective known as Shuckworm capture the attention of cyber defenders due to the severe threat they pose to multiple Ukrainian organizations, mainly in the public sector. The group’s experimenting with long-running intrusions and constantly developing their adversary toolkit demand vigilant awareness from the worldwide community of cyber defenders to be ready to timely respond to the increasing threats of aggressors’ cyber-espionage operations. SOC Prime’s platform for collective cyber defense curates a dedicated set of Sigma rules to help organizations proactively defend against Shuckworm’s attacks. 

All Sigma rules are filtered by the corresponding custom tag “Shuckworm” to simplify the content search. Click the Explore Detections button below to drill down to the entire collection of relevant detection rules and hunting queries mapped to the MITRE ATT&CK® framework and automatically convertible to the industry-leading SIEM, EDR, and XDR solutions. For streamlined threat investigation, explore ATT&CK links, CTI, executable binaries linked to Sigma rules, and more relevant metadata.

Explore Detections

Shuckworm Activity: Analyzing the Latest Attacks

First emerged in 2013, Shuckworm (also known as Gamaredon, Armageddon, Trident Ursa) is a seasoned player in the malicious arena. The hacking collective acts as an integral part of the Federal Security Service of the russian federation aimed to perform targeted cyber intelligence and subversive activities against Ukraine and its allies. CERT-UA keeps a close eye on the offensive operations of the Shuckworm group tracked by CERT-UA researchers under the UAC-0010 identifier. During 2022-2023 Shuckworm remained one of the most intrusive and focused APTs targeting Ukrainian entities on the cyber frontline as well as attempting to disrupt critical infrastructure facilities in the NATO countries. 

Typically, the Shuckworm group relies on spear-phishing campaigns to proceed with cyber-espionage activities. Threat actors apply simple tools written in VBScript, VBA Script, C#, C++, and other programming languages, primarily leveraging open-source software in the early days of their activity while gradually tending to enrich their toolkit with a number of custom cyber espionage tools, including Pterodo/Pteranodon, EvilGnome and multiple information stealers such as GammaLoad, GammaSteal, and Giddome.

Since the full-scale war outbreak in Ukraine, Shuckworm has significantly intensified its malicious activities, with the latest spike observed in February-March 2023. In addition to the increased volumes of attacks, Shuckworm adversaries tend to enrich their malicious toolset. The inquiry by Symantec details that APT actor switch from info-stealers, default Word template hijackers, and different variants of Pteranodon backdoor to a novel USB malware helping hackers to propagate through the network, infecting a broader scope of instances. 

It is worth noting that during its latest campaign, Shuckworm hackers specifically concentrated their attention on HR departments of the Ukrainian government, military, security, and research organization in an attempt to obtain sensitive information on individuals related to those entities. 

The intrusions within the latest campaign typically start with the phishing email carrying a malicious file attached. In case opened, it triggers a PowerShell command that, in turn, downloads the Pterodo payload from the attacker’s server. Additionally, the PowerShell script enumerates all drives on the device and copies itself to a removable USB drive increasing the chances for covert propagation and successful lateral movement across the breached environment. 

Security experts note that Shuckworm remains laser-focused on Ukraine and its allies, continuously advancing its malicious toolset to perform with cyber-espionage and destructive operations. By directly cooperating with CERT-UA and SSSCIP, the SOC Prime team research, develop, and test Sigma rules on the real battlefield, aggregating relevant detection algorithms and encouraging global collaboration through SOC Prime’s Platform. 

Rely on SOC Prime to be fully equipped with detection content against any TTP used by APT groups in their attacks. Access the world’s fastest feed of security news, tailored threat intelligence, and the largest repository of curated 10,000+ Sigma rules continuously enriched with new detection ideas. Unlock the power of augmented intelligence and collective industry expertise to equip any security team member with an ultimate tool for advanced detection engineering. Identify blind spots and timely address them to ensure complete threat visibility based on the organization-specific logs without moving data to the cloud. Register to SOC Prime Platform now and empower your security team with the best tooling for a secure tomorrow.