The actor that Microsoft tracks as Aqua Blizzard (ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB). Aqua Blizzard (ACTINIUM) is known to primarily target organizations in Ukraine including government entities, military, non-governmental organizations, judiciary, law enforcement, and non-profit, as well as entities related to Ukrainian affairs. Aqua Blizzard (ACTINIUM) focuses on espionage and exfiltration of sensitive information. Aqua Blizzard (ACTINIUM)’s tactics are constantly evolving and encompassing a multitude of advanced techniques and procedures. The actor is known to primarily use spear-phishing emails with malicious attachments that contain a first-stage payload that downloads and launches further payloads. The actor uses a variety of custom tools and malware to achieve their objectives, often using heavily obfuscated VBScripts, obfuscated PowerShell commands, self-extracting archives, Windows shortcut (LNK) files, or a combination of these. Aqua Blizzard (ACTINIUM) frequently relies on scheduled tasks in these scripts to maintain persistence.
Aqua Blizzard (ACTINIUM) also deploys tools like Pterodo—a constantly evolving malware family—to gain interactive access to target networks, maintain persistence, and gather intelligence. In some cases, they also deploy UltraVNC —a remote desktop software utility—to enable a more interactive connection to a target. Aqua Blizzard (ACTINIUM) employs a variety of malware families including DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch. Aqua Blizzard (ACTINIUM) is tracked by other security companies as Gamaredon, Armageddon, Primitive Bear, and UNC530.