Microsoft Warns of a New Russian State-Sponsored Hacker Group, Aqua Blizzard (ACTINIUM)

Introducing Aqua Blizzard (code-named ACTINIUM), a formidable nation-state activity group originating from Russia. The Ukrainian government has openly implicated this group, linking its activities to the Russian Federal Security Service (FSB). Renowned for its precise targeting, Aqua Blizzard (ACTINIUM) has established a reputation for focusing on a broad spectrum of targets within Ukraine.



1/25/20242 min read

Aqua Blizzard (ACTINIUM), a nation-state activity group originating from Russia, has established itself as a formidable force in the cyber threat landscape. This article delves into their methodologies, targets, and the evolving nature of their cyber arsenal. Special acknowledgment is given to Microsoft for their pivotal role in revealing and alerting the global community to the activities of this cyber attack group.

Aqua Blizzard's Expansive Landscape:

Aqua Blizzard (ACTINIUM) has gained notoriety for its diverse range of targets within Ukraine, encompassing government entities, military installations, non-governmental organizations, judiciary, law enforcement, non-profits, and entities associated with Ukrainian affairs. The Ukrainian government has openly accused the group, attributing its actions to the Russian Federal Security Service (FSB).

Espionage and information extraction serve as the core focus of Aqua Blizzard (ACTINIUM). Their tactics continuously evolve, employing spear-phishing emails as a prominent method of infiltration. This sophisticated ensemble combines malicious attachments, custom tools, and camouflage techniques, showcasing a level of intricacy that demands attention.

Covert Objectives

Aqua Blizzard (ACTINIUM) is a nation-state cyber espionage group originating from Russia, showcasing an intricate set of attack techniques in the cyber realm. Their operational infrastructure is vast, consisting of a meticulously orchestrated network of domains and hosts for payload staging and command-and-control purposes.

Aqua Blizzard's Signature Moves

The group, masters of evasion, continually modify their infrastructure to stay ahead of cybersecurity measures. Their malware arsenal includes the ever-evolving Pterodo, strategically deploying tools like UltraVNC for immersive connections. Diverse families of malware such as DinoTrain, DesertDown, and ObfuBerry, contribute to their sophisticated toolkit.

Targeted Approach

Predominantly focusing on Ukrainian organizations, Aqua Blizzard (ACTINIUM) extends its reach to government entities with a specific interest in intelligence related to Ukraine. Microsoft Threat Intelligence notes the group's diverse aliases, including Gamaredon and UNC530, highlighting their global impact.

Phishing Mastery

Aqua Blizzard (ACTINIUM) excels in spear-phishing, using remote template injection and malicious attachments to infiltrate targets. The group employs diverse phishing lures, incorporating web bugs for monitoring, and designs convincing documents to deceive their targets effectively.

Protective Measures

To protect against Aqua Blizzard's (ACTINIUM) advanced techniques, organizations should implement robust email security protocols, educate users on phishing risks, and regularly update and patch systems. Employing advanced threat detection tools and monitoring network traffic can help identify and mitigate potential threats early on.

ATT&CK Techniques Unveiled

MITRE ATT&CK framework helps to digest the technics deployed by this attack group, providing details to understand the strategic operational process and how to mitigate them.

  1. Phishing:

    • Spear-phishing with a malicious macro containing a VBScript (T1566.001, T1204.002, T1137.001, T1221, T1059.005).

    • Utilizing a macro requiring the user to open the document, loading further capabilities (T1204.002, T1105).

  2. Impersonation:

    • Spear phishing emails impersonating legitimate organizations (T1036).

  3. Phishing Links:

    • Spear phishing with malicious links (T1566.002).

  4. Advanced Phishing Attachments:

    • Spear phishing emails with attachments (e.g., PowerPunch) containing obfuscated scripts downloading additional malicious payloads (T1566.001, T1105, T1027, T1059.001, T1587.001).

  5. Remote Template Injection:

    • Delivery using remote template injection (T1221).

  6. Persistence Strategies:

    • Utilizing scheduled tasks in scripts for maintaining persistence (TA0003, T1053.005).

  7. Web Bugs and Monitoring:

    • Insertion of web bugs within phishing messages for monitoring (T1566.002).

  8. Data Acquisition and Remote Access:

    • Use of malware like QuietSieve for acquiring data (T1005, T1587.001).

    • Implementation of malware for remote access (T1133, T1587.001).

  9. Operational Infrastructure Mastery:

    • Use of operational infrastructure with numerous domains and hosts for payload staging and randomized subdomains for C2 (T1608.001, T1568.002).

  10. Downloader VBScripts and DNS Manipulation:

    • Use of downloader VBScripts flushing DNS cache and resolving target domains (T1059.005, T1071.001, T1070.004).

  11. Legitimate Providers and Domain Acquisition:

    • Acquisition of domains from legitimate providers (T1583.001).

  12. Dynamic Infrastructure Modifications:

    • Implementation of domain name DNS records that frequently change, showcasing frequent modifications to the group’s infrastructure with unique IP addresses (T1568, T1583).

Origin: Russia (RU)

Targets: Government Agencies & Services: Defense, Law Enforcement. Non-Government Organization: Human Rights Organization

Alternatively identified by aliases such as Primitive Bear, ACTINIUM, SectorC08, shuckworm, Gamaredon, UNC530, and Armageddon, operates under a diverse set of monikers.