A group of Russia-backed hackers, known for its attacks on Ukraine state agencies, has returned with a new campaign targeting Ukrainian government officials.
In research published yesterday, Anomali Threat Research team says with “high confidence” it is Gamaredon APT, also known as Primitive Bear, behind the new cyberattack. However, Anomali doesn’t consider Gamaredon as APT per se, but a group that provides services for other APTs.
Previously, Primitive Bear was linked to a campaign in which hackers targeted Ukrainian state and defense agencies with NATO-themed documents in summer 2019.
The present campaign started in January and continued through at least mid-March, Anomali said.
Researchers note that the campaign coincided with escalating tensions between Russia and Ukraine, as Russia has been gathering troops along the Ukrainian border over the past couple of months.
“This one is interesting because the alignment of real-world events is just another indication of potential hybrid warfare that Russia is known to engage in,” said Gage Mele, lead cyber threat intelligence analyst at Anomali.
Anomali researchers are not sure about the latest campaign’s goals, as they couldn’t run a full investigation – the remote template domains used by the attackers were down at the time of discovery. However, researchers believe the suspected Russian hackers used current events as a convenient time for spearphishing activity.
Researchers observed Primitive Bear distributing .docx files that later could download a .dot file via remote templates. Documents were used as decoys and were themed around current events.
One legitimate-appearing document in the campaign was a Bulgarian-themed dissertation and came at a time when Bulgaria charged six Bulgarian government officials with spying for Russia.
“It would not be unlikely to think that Primitive Bear was using Bulgaria-themed decoys before the media knew of the events, thus making the information more relevant to Ukrainian officials who knew what was transpiring,” the research reads.
Anomali warned the hackers could replicate the campaign and go after government officials in other countries.