Blog

Malicious Activity Aligning with Gamaredon TTPs Targets Ukraine

The Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by the Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear).

Anomali Threat Research
December 5, 2019
Table of contents
<h3><strong>Overview</strong></h3><p>The Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by the Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear). Some of the documents have been discussed by other researchers.[1] This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019. Based on lure documents observed by ATR, we believe that at least the following Ukrainian entities and individuals may be targeted:</p><ul><li>Diplomats</li><li>Government officials and employees</li><li>Journalists</li><li>Law enforcement</li><li>Military officials and personnel</li><li>Non-Governmental Organization (NGO)</li><li>The Ministry of Foreign Affairs of Ukraine</li></ul><p>ATR analysts have found Tactics, Techniques, and Procedures (TTPs) that align with known Gamaredon tactics, in addition to a new template-injection technique that has not previously been observed to be utilized by the group.</p><p>The object of this report is to highlight a new Gamaredon TTP and share IOCs to the security community for awareness and further analysis. Several lure documents will also be examined, as well as a technical analysis section that showcases the functionalities of the template injection.</p><p style="text-align: center;"><a href="https://www.anomali.com/resources/whitepapers/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine" target="_blank"><strong>Get the full report on Gamaredon (Primitive Bear) and read through our key findings here</strong>.</a></p><h3><strong>Endnotes</strong></h3><p>[1] Evgeny Ananin and Artern Semenchenko “The Gamaredon Group: A TTP Profile Analysis,” Fortinet Blog, accessed November 25, 2019, published August 21 2019, https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html; ZLAB-YOROI, “The Russian Shadow in Eastern Europe: Ukrainian MOD Campaign,” YOROI Blog, accessed November 25, 2019, published April, 24, 2019 https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/; ZLAB-YOROI, “The Russian Shadow in Eastern Europe: A Month Later,” YORIO Blog, accessed November 25, 2019, published June 4, 2019, https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/.</p>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

December 5, 2019
-
Anomali Threat Research
,

Malicious Activity Aligning with Gamaredon TTPs Targets Ukraine

<h3><strong>Overview</strong></h3><p>The Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by the Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear). Some of the documents have been discussed by other researchers.[1] This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019. Based on lure documents observed by ATR, we believe that at least the following Ukrainian entities and individuals may be targeted:</p><ul><li>Diplomats</li><li>Government officials and employees</li><li>Journalists</li><li>Law enforcement</li><li>Military officials and personnel</li><li>Non-Governmental Organization (NGO)</li><li>The Ministry of Foreign Affairs of Ukraine</li></ul><p>ATR analysts have found Tactics, Techniques, and Procedures (TTPs) that align with known Gamaredon tactics, in addition to a new template-injection technique that has not previously been observed to be utilized by the group.</p><p>The object of this report is to highlight a new Gamaredon TTP and share IOCs to the security community for awareness and further analysis. Several lure documents will also be examined, as well as a technical analysis section that showcases the functionalities of the template injection.</p><p style="text-align: center;"><a href="https://www.anomali.com/resources/whitepapers/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine" target="_blank"><strong>Get the full report on Gamaredon (Primitive Bear) and read through our key findings here</strong>.</a></p><h3><strong>Endnotes</strong></h3><p>[1] Evgeny Ananin and Artern Semenchenko “The Gamaredon Group: A TTP Profile Analysis,” Fortinet Blog, accessed November 25, 2019, published August 21 2019, https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html; ZLAB-YOROI, “The Russian Shadow in Eastern Europe: Ukrainian MOD Campaign,” YOROI Blog, accessed November 25, 2019, published April, 24, 2019 https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/; ZLAB-YOROI, “The Russian Shadow in Eastern Europe: A Month Later,” YORIO Blog, accessed November 25, 2019, published June 4, 2019, https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.