|
Actinium/Gamaredon, reported as a Russian advanced persistent threat (APT) group that has been active for almost a decade now, had started trailing their sights on Ukrainian organizations back in February 2022. At least three major cybersecurity service providers—Microsoft Security, Palo Alto Networks, and Symantec—published indicators of compromise (IoCs) related to the threat over the years. Their reports gave us 151 unique domains, which served as the starting point for our in-depth investigation.
Our analysis uncovered several other IoCs and artifacts that could be related to the threat, namely:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.
Our initial data gathering originally gave us 157 domain names from three reports—133 from Microsoft, 19 from Palo Alto, and five from Symantec. Six were duplicates, leaving us with 151 unique domain IoCs.
Domain Name System (DNS) lookups for the 151 domain IoCs led to the discovery of 19 unique IP resolutions, including:
Reverse IP lookups for these resulted in 67 unique domains that could be connected to the threat. There could be hundreds more possibly connected domains, as our search results were limited to a sample of five domain names per IP address. Examples of connected domains include:
A bulk WHOIS lookup for the domains from our original IoC list and reverse IP lookups allowed us to find one unredacted registrant email address. Using that as a search term for reverse WHOIS lookups limited to currently active domains gave us an additional 218 possibly connected domains, including:
All in all, we managed to obtain an additional 19 IP addresses, 285 domains, and one email address.
Our investigation didn’t stop there. We also subjected the additional web properties we found to the various checks available in Threat Intelligence Platform (TIP) and found that:
If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com