Russian APT Primitive Bear attacks Western government department in Ukraine through job hunt

The hacking group's latest activities come at a time when tension is boiling between Russia and Ukraine.
Written by Charlie Osborne, Contributing Writer

A sophisticated cybercriminal group hailing from Russia has been caught trying to attack a Western government outfit located in Ukraine.

At a time when tensions between Russia and Ukraine are high, with world leaders concerned that the former is intending to invade, there is already digital warfare at hand. 

In recent weeks, Ukraine has been subject to defacement and tampering of numerous government-run websites, Microsoft's Threat Intelligence Center (MSTIC) has warned that destructive malware is being used in assaults against Ukrainian organizations, and the US Treasury Department has sanctioned Ukrainian nationals for allegedly trying to help create "instability" ahead of a potential invasion. 

The UK's National Cyber Security Centre (NCSC) is also urging organizations to ramp up their defenses in light of recent cyberattacks against Ukraine. 

Now, researchers from Palo Alto Networks have uncovered ongoing activity against Ukraine performed by Primitive Bear/Gamaredon, an advanced persistent threat (APT) group of Russian origin. 

The team says that while there is no evidence that Primitive Bear is responsible for any of the recent, publicized attacks, as "one of the most active existing advanced persistent threats targeting Ukraine, we anticipate we will see additional malicious cyber activities over the coming weeks as the conflict evolves."

Also: Arid Viper hackers strike Palestine with political lures and Trojans

Since 2013, before Russia annexed Crimea, Primitive Bear has been focused on attacks against Ukrainian government officials and organizations in the country. 

Palo Alto's Unit 42 has been tracking the APT ever since and has now mapped out three clusters used in campaigns that link to over 700 malicious domains, 215 IP addresses, and a toolkit of over 100 malware samples. 

On January 19, Primitive Bear tried to attack the networks of an unnamed "Western government entity" in Ukraine.

The initial attack vector is an interesting one: rather than sending a typical phishing email, the attackers searched for an active job listing at the department and uploaded a malicious downloader within a resume. 

"Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Primitive Bear/Gamaredon to compromise this Western government organization," the researchers note.

There is also evidence that Primitive Bear has targeted the State Migration Service of Ukraine with phishing emails. 

As disclosed by CERT Estonia (.PDF), the APT has used malicious macros in .dox/.dot template attachments to execute wiper malware in the past. 

"As international tensions surrounding Ukraine remain unresolved, Gamaredon's operations are likely to continue to focus on Russian interests in the region," Palo Alto says. "While we have mapped out three large clusters of currently active Gamaredon infrastructure, we believe there is more that remains undiscovered."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards