Russian APT Primitive Bear attacks Western gov’t department in Ukraine through job hunt | ZDNet

A sophisticated cybercriminal group hailing from Russia has been caught trying to attack a Western government outfit located in Ukraine.

At a time when tensions between Russia and Ukraine are high, with world leaders concerned that the former is intending to invade, there is already digital warfare at hand. 

In recent weeks, Ukraine has been subject to defacement and tampering of numerous government-run websites, Microsoft’s Threat Intelligence Center (MSTIC) has warned that destructive malware is being used in assaults against Ukrainian organizations, and the US Treasury Department has sanctioned Ukrainian nationals for allegedly trying to help create “instability” ahead of a potential invasion. 

The UK’s National Cyber Security Centre (NCSC) is also urging organizations to ramp up their defenses in light of recent cyberattacks against Ukraine. 

Now, researchers from Palo Alto Networks have uncovered ongoing activity against Ukraine performed by Primitive Bear/Gamaredon, an advanced persistent threat (APT) group of Russian origin. 

The team says that while there is no evidence that Primitive Bear is responsible for any of the recent, publicized attacks, as “one of the most active existing advanced persistent threats targeting Ukraine, we anticipate we will see additional malicious cyber activities over the coming weeks as the conflict evolves.”

Since 2013, before Russia annexed Crimea, Primitive Bear has been focused on attacks against Ukrainian government officials and organizations in the country. 

Palo Alto’s Unit 42 has been tracking the APT ever since and has now mapped out three clusters used in campaigns that link to over 700 malicious domains, 215 IP addresses, and a toolkit of over 100 malware samples. 

On January 19, Primitive Bear tried to attack the networks of an unnamed “Western government entity” in Ukraine.

The initial attack vector is an interesting one: rather than sending a typical phishing email, the attackers searched for an active job listing at the department and uploaded a malicious downloader within a resume. 

“Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Primitive Bear/Gamaredon to compromise this Western government organization,” the researchers note.

There is also evidence that Primitive Bear has targeted the State Migration Service of Ukraine with phishing emails. 

As disclosed by CERT Estonia (.PDF), the APT has used malicious macros in .dox/.dot template attachments to execute wiper malware in the past. 

“As international tensions surrounding Ukraine remain unresolved, Gamaredon’s operations are likely to continue to focus on Russian interests in the region,” Palo Alto says. “While we have mapped out three large clusters of currently active Gamaredon infrastructure, we believe there is more that remains undiscovered.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.