Nodaria

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Nodaria (UAC-0056), a Russia-sponsored threat actor, has been active since at least March 2021, primarily targeting Ukraine but also known to have targeted entities in Kyrgyzstan and Georgia. Initially relatively unknown, Nodaria's activities escalated significantly following the Russian invasion of Ukraine, leading to its recognition as a key player in Russia's ongoing cyber campaigns against Ukraine. The group first gained significant attention in January 2022 when Ukraine’s Computer Emergency Response Team (CERT-UA) highlighted their use of SaintBot and OutSteel malware in spear-phishing attacks targeting government entities. From October 2022 into 2023, Nodaria deployed a new information-stealing malware, dubbed Graphiron, against targets in Ukraine. This sophisticated malware, attributed to Nodaria by Broadcom-owned Symantec, demonstrated advanced information gathering capabilities and multiple evasion techniques. CERT-UA noted that Nodaria had breached multiple Ukrainian government websites using backdoors placed as far back as December 2021. With the deployment of Graphiron, Nodaria joined another Russian state-sponsored group, Gamaredon, in extensively singling out Ukraine for cyberattacks. Their tactics include compromising websites, typosquatting, malicious redirecting through pseudo-short URL domains, AdSense fraud via Google AdSense, and using DDoS-Guard and WordPress. The high-level activity of Nodaria over the past year suggests an escalating trend in cyber espionage operations linked to geopolitical tensions.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Ukraine
Infostealer
Fraud
Wordpress
Ukrainian
Russia
Espionage
Government
Ddos
Wiper
Phishing
State Sponso...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WhisperGateUnspecified
2
WhisperGate is a type of malware, specifically a wiper, that was used extensively in cyberattacks against Ukrainian organizations throughout 2022. It was one of several malicious software tools deployed by Russian Advanced Persistent Threat (APT) actors, alongside others such as AwfulShred, CaddyWip
OutSteelUnspecified
1
OutSteel is a type of malware, specifically a document stealer and file uploader, developed using the scripting language AutoIT. It was first highlighted by CERT-UA in January 2022 for its use in spear-phishing attacks against government entities, alongside another malware known as SaintBot. These m
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GamaredonUnspecified
1
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Nodaria Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Ukrainian government websites using two-year-old backdoors
CERT-EU
a year ago
13th February – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Cyber security week in review: February, 10
CERT-EU
a year ago
Anomali Cyber Watch: Hospital Ransoms Pay for Attacks on Defense, Nodaria Got Upgraded Go-Based Infostealer, TA866 Moved Screenshot Functionality to Standalone Tool
CERT-EU
a year ago
Russian Hackers Using Graphiron Malware to Steal Data from Ukraine
Securityaffairs
a year ago
New Graphiron info-stealer used in attacks against Ukraine
CERT-EU
a year ago
New Info-Stealer Discovered as Russia Prepares Fresh Offensive