Nodaria

Nodaria (UAC-0056), a Russia-sponsored threat actor, has been active since at least March 2021, primarily targeting Ukraine but also known to have targeted entities in Kyrgyzstan and Georgia. Initially relatively unknown, Nodaria's activities escalated significantly following the Russian invasion of Ukraine, leading to its recognition as a key player in Russia's ongoing cyber campaigns against Ukraine. The group first gained significant attention in January 2022 when Ukraine’s Computer Emergency Response Team (CERT-UA) highlighted their use of SaintBot and OutSteel malware in spear-phishing attacks targeting government entities. From October 2022 into 2023, Nodaria deployed a new information-stealing malware, dubbed Graphiron, against targets in Ukraine. This sophisticated malware, attributed to Nodaria by Broadcom-owned Symantec, demonstrated advanced information gathering capabilities and multiple evasion techniques. CERT-UA noted that Nodaria had breached multiple Ukrainian government websites using backdoors placed as far back as December 2021. With the deployment of Graphiron, Nodaria joined another Russian state-sponsored group, Gamaredon, in extensively singling out Ukraine for cyberattacks. Their tactics include compromising websites, typosquatting, malicious redirecting through pseudo-short URL domains, AdSense fraud via Google AdSense, and using DDoS-Guard and WordPress. The high-level activity of Nodaria over the past year suggests an escalating trend in cyber espionage operations linked to geopolitical tensions.