Actinium/Gamaredon, reported as a Russian advanced persistent threat (APT) group that has been active for almost a decade now, had started trailing their sights on Ukrainian organizations back in February 2022. At least three major cybersecurity service providers—Microsoft Security, Palo Alto Networks, and Symantec—published indicators of compromise (IoCs) related to the threat over the years. Their reports gave us 151 unique domains, which served as the starting point for our in-depth investigation.
Our analysis uncovered several other IoCs and artifacts that could be related to the threat, namely:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.
A Look at Actinium/Gamaredon’s IoCs
Our initial data gathering originally gave us 157 domain names from three reports—133 from Microsoft, 19 from Palo Alto, and five from Symantec. Six were duplicates, leaving us with 151 unique domain IoCs.
Domain Name System (DNS) lookups for the 151 domain IoCs led to the discovery of 19 unique IP resolutions, including:
Support the originator by clicking the read the rest link below.
