cyber_threat_intelligence/actors/Gamaredon/README.md

# Gamaredon - Cyber Threat Intelligence

These _indicators_ were collected during the [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The _activity monitoring_ correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique _predictive model_ is able to forecast activities and their characteristics.

_Live data_ and more _analysis capabilities_ are available at [https://vuldb.com/?actor.gamaredon](https://vuldb.com/?actor.gamaredon)

## Campaigns

The following _campaigns_ are known and can be associated with Gamaredon:

* Ukraine

## Countries

These _countries_ are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gamaredon:

* [RU](https://vuldb.com/?country.ru)

## IOC - Indicator of Compromise

These _indicators of compromise_ (IOC) indicate associated network resources which are known to be part of research and attack activities of Gamaredon.

ID | IP address | Hostname | Campaign | Confidence
-- | ---------- | -------- | -------- | ----------
1 | [2.59.41.5](https://vuldb.com/?ip.2.59.41.5) | vds-sizaus.timeweb.ru | - | High
2 | [5.63.152.233](https://vuldb.com/?ip.5.63.152.233) | 5-63-152-233.cloudvps.regruhosting.ru | - | High
3 | [5.63.154.19](https://vuldb.com/?ip.5.63.154.19) | 5-63-154-19.cloudvps.regruhosting.ru | - | High
4 | [5.63.154.128](https://vuldb.com/?ip.5.63.154.128) | 5-63-154-128.cloudvps.regruhosting.ru | - | High
5 | [5.63.158.179](https://vuldb.com/?ip.5.63.158.179) | 5-63-158-179.cloudvps.regruhosting.ru | - | High
6 | [5.63.158.233](https://vuldb.com/?ip.5.63.158.233) | 5-63-158-233.cloudvps.regruhosting.ru | - | High
7 | [5.63.158.238](https://vuldb.com/?ip.5.63.158.238) | 5-63-158-238.cloudvps.regruhosting.ru | - | High
8 | [31.31.203.17](https://vuldb.com/?ip.31.31.203.17) | 31-31-203-17.cloudvps.regruhosting.ru | - | High
9 | [31.31.203.71](https://vuldb.com/?ip.31.31.203.71) | 31-31-203-71.cloudvps.regruhosting.ru | - | High
10 | [31.31.203.219](https://vuldb.com/?ip.31.31.203.219) | 31-31-203-219.cloudvps.regruhosting.ru | - | High
11 | [31.40.251.145](https://vuldb.com/?ip.31.40.251.145) | - | - | High
12 | [31.40.251.171](https://vuldb.com/?ip.31.40.251.171) | - | - | High
13 | [37.77.105.102](https://vuldb.com/?ip.37.77.105.102) | 701115-cm83897.tmweb.ru | Ukraine | High
14 | [37.140.195.137](https://vuldb.com/?ip.37.140.195.137) | 37-140-195-137.cloudvps.regruhosting.ru | - | High
15 | [37.140.197.55](https://vuldb.com/?ip.37.140.197.55) | 37-140-197-55.cloudvps.regruhosting.ru | - | High
16 | [37.140.197.206](https://vuldb.com/?ip.37.140.197.206) | 37-140-197-206.cloudvps.regruhosting.ru | - | High
17 | [37.140.199.20](https://vuldb.com/?ip.37.140.199.20) | 37-140-199-20.cloudvps.regruhosting.ru | - | High
18 | [37.140.199.224](https://vuldb.com/?ip.37.140.199.224) | nedvizhimostdoma.ru | - | High
19 | [45.32.149.8](https://vuldb.com/?ip.45.32.149.8) | 45.32.149.8.vultr.com | - | Medium
20 | [45.134.255.131](https://vuldb.com/?ip.45.134.255.131) | - | - | High
21 | [70.34.194.31](https://vuldb.com/?ip.70.34.194.31) | 70.34.194.31.vultr.com | - | Medium
22 | [70.34.194.123](https://vuldb.com/?ip.70.34.194.123) | 70.34.194.123.vultr.com | - | Medium
23 | [70.34.195.75](https://vuldb.com/?ip.70.34.195.75) | 70.34.195.75.vultr.com | - | Medium
24 | [70.34.197.185](https://vuldb.com/?ip.70.34.197.185) | 70.34.197.185.vultr.com | - | Medium
25 | [70.34.198.226](https://vuldb.com/?ip.70.34.198.226) | 70.34.198.226.vultr.com | - | Medium
26 | [70.34.199.214](https://vuldb.com/?ip.70.34.199.214) | 70.34.199.214.vultr.com | - | Medium
27 | [70.34.202.55](https://vuldb.com/?ip.70.34.202.55) | 70.34.202.55.vultr.com | - | Medium
28 | [70.34.204.74](https://vuldb.com/?ip.70.34.204.74) | 70.34.204.74.vultr.com | - | Medium
29 | [70.34.204.141](https://vuldb.com/?ip.70.34.204.141) | 70.34.204.141.vultr.com | - | Medium
30 | [70.34.208.32](https://vuldb.com/?ip.70.34.208.32) | 70.34.208.32.vultr.com | - | Medium
31 | [78.40.219.12](https://vuldb.com/?ip.78.40.219.12) | 628153-cn06191.tmweb.ru | Ukraine | High
32 | [80.78.240.210](https://vuldb.com/?ip.80.78.240.210) | 80-78-240-210.cloudvps.regruhosting.ru | - | High
33 | [80.78.241.88](https://vuldb.com/?ip.80.78.241.88) | 80-78-241-88.cloudvps.regruhosting.ru | - | High
34 | [80.78.241.253](https://vuldb.com/?ip.80.78.241.253) | 80-78-241-253.cloudvps.regruhosting.ru | - | High
35 | [80.78.244.124](https://vuldb.com/?ip.80.78.244.124) | 80-78-244-124.cloudvps.regruhosting.ru | - | High
36 | [80.78.244.199](https://vuldb.com/?ip.80.78.244.199) | 80-78-244-199.cloudvps.regruhosting.ru | - | High
37 | [80.78.245.89](https://vuldb.com/?ip.80.78.245.89) | mail-open-3.nascom.nasa.gov | - | High
38 | [80.78.245.223](https://vuldb.com/?ip.80.78.245.223) | 80-78-245-223.cloudvps.regruhosting.ru | - | High
39 | [80.78.245.254](https://vuldb.com/?ip.80.78.245.254) | scraper.betty.network | - | High
40 | [80.78.248.22](https://vuldb.com/?ip.80.78.248.22) | - | - | High
41 | [80.78.248.167](https://vuldb.com/?ip.80.78.248.167) | hadassah.moscow | - | High
42 | [80.78.248.222](https://vuldb.com/?ip.80.78.248.222) | 80-78-248-222.cloudvps.regruhosting.ru | - | High
43 | [80.78.251.4](https://vuldb.com/?ip.80.78.251.4) | 80-78-251-4.cloudvps.regruhosting.ru | - | High
44 | [80.78.251.191](https://vuldb.com/?ip.80.78.251.191) | 80-78-251-191.cloudvps.regruhosting.ru | - | High
45 | [80.78.251.231](https://vuldb.com/?ip.80.78.251.231) | 80-78-251-231.cloudvps.regruhosting.ru | - | High
46 | [80.78.253.26](https://vuldb.com/?ip.80.78.253.26) | 80-78-253-26.cloudvps.regruhosting.ru | - | High
47 | [80.78.253.86](https://vuldb.com/?ip.80.78.253.86) | 80-78-253-86.cloudvps.regruhosting.ru | - | High
48 | [80.78.253.196](https://vuldb.com/?ip.80.78.253.196) | 80-78-253-196.cloudvps.regruhosting.ru | - | High
49 | [80.78.254.238](https://vuldb.com/?ip.80.78.254.238) | 80-78-254-238.cloudvps.regruhosting.ru | - | High
50 | ... | ... | ... | ...

There are 198 more IOC items available. Please use our online service to access the data.

## TTP - Tactics, Techniques, Procedures

_Tactics, techniques, and procedures_ (TTP) summarize the suspected ATT&CK techniques used by Gamaredon. This data is unique as it uses our predictive model for actor profiling.

ID | Technique | Weakness | Description | Confidence
-- | --------- | -------- | ----------- | ----------
1 | T1059.007 | CWE-79 | Cross Site Scripting | High

## References

The following list contains _external sources_ which discuss the actor and the associated activities:

* https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/
* https://github.com/blackorbird/APT_REPORT/blob/master/Gamaredon/Gamaredon202102_ioc1000%2B.csv
* https://github.com/SentineLabs/Gamaredon-APT/blob/master/2020-02-04-gamaredon-blog-iocs-vk.misp.csv
* https://pastebin.com/Vhb4KF5L
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
* https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

## Literature

The following _articles_ explain our unique predictive cyber threat intelligence:

* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)

## License

(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!