Trace Id is missing

Nation State Actor Aqua Blizzard

A close-up of a planet

The actor that Microsoft tracks as Aqua Blizzard (ACTINIUM) is a nation-state activity group based out of Russia. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB). Aqua Blizzard (ACTINIUM) is known to primarily target organizations in Ukraine including government entities, military, non-governmental organizations, judiciary, law enforcement, and non-profit, as well as entities related to Ukrainian affairs. Aqua Blizzard (ACTINIUM) focuses on espionage and exfiltration of sensitive information. Aqua Blizzard (ACTINIUM)’s tactics are constantly evolving and encompassing a multitude of advanced techniques and procedures. The actor is known to primarily use spear-phishing emails with malicious attachments that contain a first-stage payload that downloads and launches further payloads. The actor uses a variety of custom tools and malware to achieve their objectives, often using heavily obfuscated VBScripts, obfuscated PowerShell commands, self-extracting archives, Windows shortcut (LNK) files, or a combination of these. Aqua Blizzard (ACTINIUM) frequently relies on scheduled tasks in these scripts to maintain persistence.

Aqua Blizzard (ACTINIUM) also deploys tools like Pterodo—a constantly evolving malware family—to gain interactive access to target networks, maintain persistence, and gather intelligence. In some cases, they also deploy UltraVNC —a remote desktop software utility—to enable a more interactive connection to a target. Aqua Blizzard (ACTINIUM) employs a variety of malware families including DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch. Aqua Blizzard (ACTINIUM) is tracked by other security companies as Gamaredon, Armageddon, Primitive Bear, and UNC530.

Also known as:                                                                   Industries targeted:

 

Primitive Bear, ACTINIUM, SectorC 08,                             Government

shuckworm, Gamaredon, UNC530, Armageddon                                         

                                                                                             Military

Country of origin:

                                                                                             Law enforcement

Russia

                                                                                             Non-profit organizations

 

Countries targeted:

 

Eastern Europe

 

Ukraine

Microsoft Threat Intelligence: Recent Aqua Blizzard Articles

Cyber threat activity in Ukraine: analysis and resources

ACTINIUM targets Ukrainian organizations