<h3>Russia-Sponsored Group Employs Apparently Legitimate Documents Aligned to Growing Hostilities Between Russia and Ukraine</h3> <p><em>Authored by: Gage Mele, Yury Polozov, and Tara Gould</em></p> <h2>Key Findings</h2> <ul> <li>Anomali Threat Research discovered a campaign targeting Ukrainian government officials with malicious files that could be repurposed to target government officials of other countries.</li> <li>We assess with high confidence that this activity was conducted by Russia-sponsored cyberespionage group Primitive Bear (Gamaredon).</li> <li>Primitive Bear was observed distributing .docx files that attempted to download a .dot file via remote templates.</li> <li>The campaign appears to have taken place from January through at least late March 2021, and used decoy documents themed around current events. These documents also showed that Primitive Bear likely used unauthorized access or illicit purchase of private documents prior to their publication.</li> <li>The final objective of this campaign remains unclear because the remote template domains were down at the time of discovery.</li> </ul> <h2>Overview</h2> <p>Anomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs).<sup>[1]</sup> The group was distributing .docx files that attempted to download .dot files from remote templates. The final objective of this campaign remains unclear as the remote template domains were down at the time of discovery. We observed Primitive Bear activity in late 2019, and again in April 2020, during which time they used similar TTPs and Ukrainian government-themed decoys.<sup>[2]</sup> In those campaigns, Primitive Bear’s decoys loaded a remote template to drop a .dot file that would determine if the compromised machine was worthy of a second-stage payload.<sup>[3]</sup></p> <p>Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples we found, as well as those shared by the security community, could also be used to target multiple former Union of Soviet Socialist Republic (USSR) countries.</p> <h2>Details</h2> <p>Anomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through spearphishing, that attempted to download remote template .dot files through template injection. Most of the .docx decoy files were written in Ukrainian, and a minority written in Russian, and contained content discussing multiple Ukrainian government agencies, institutions, and public entities, as well as Russian intelligence agencies in the context of occupied Crimea. Primitive Bear was using specific names of individuals and entities in their files, relevant to the January through mid-March 2021 timeframe, to make their malicious files appear more legitimate. This highlights the group’s use of authentic events to craft likely phishing themes more likely to be effective.</p> <p style="text-align: center;"><em><strong><img alt="Observed Infection Chain" src="https://cdn.filestackcontent.com/3rdxPndPSrq1bwjwQaXt"/><br/> Figure 1 </strong>– Observed Infection Chain</em></p> <h2>Technical Analysis</h2> <p>The .docx files distributed by Primitive Bear used template injection to add a remote domain that contained a .dot (Word template) file. In Figure 2, the template injection can be seen with the TargetMode set to “External,” indicating the file was reaching out to a remote location. If the connection was made, the .dot file was subsequently downloaded.</p> <p style="text-align: center;"><em><strong><img alt="автореферат Тертична last 8.2.docx Remote Template Domain Information" src="https://cdn.filestackcontent.com/Hyk7RYdeQNShZji7XbNg"/><br/> Figure 2</strong> – автореферат Тертична last 8.2.docx Remote Template Domain Information</em></p> <p>The final objective of this campaign remains unclear because the remote template domains were down at the time of discovery, and we encourage the security community to share if discovered.</p> <h3>Decoy Analysis</h3> <p><strong>Analyzed File</strong> – автореферат Тертична last 8.2.docx<br/> <strong>Translated File Name</strong> – Tertychna Abstract last 8.2.docx<br/> <strong>SHA-256</strong> – 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418</p> <p style="text-align: center;"><em><strong><img alt="автореферат Тертична last 8.2.docx (Translated from Ukrainian: Tertychna Abstract last 8.2.docx)" src="https://cdn.filestackcontent.com/Pao8y6HQToSph3P7Yhvz"/><br/> Figure 3 </strong>– автореферат Тертична last 8.2.docx (Translated from Ukrainian: Tertychna Abstract last 8.2.docx)</em></p> <p style="text-align: center;"><em><strong><img alt="Tertychna Abstract last 8.2.docx (Translated from Ukrainian)" src="https://cdn.filestackcontent.com/h1axoQsPQCOvqbjLgAcD"/><br/> Figure 4</strong> – Tertychna Abstract last 8.2.docx (Translated from Ukrainian)</em></p> <p><strong>Tertychna Abstract last 8.2.docx</strong>, shown above in Figures 3 and 4, is a 26 page abstract of a Ukrainian dissertation discussing modern relations between Ukraine and Bulgaria. Most of the document is in Ukrainian, however, the last two and one-half pages have English summaries. <strong>Tertychna Abstract last 8.2.docx</strong> appears to be a shortened version of another Primitive Bear file called <strong>дисертація 8.02.21.docx</strong> (from Ukrainian: Dissertation 8.02.21.docx), which was also mentioned by the security community, shown in Figures 5 and 6 below.<sup>[4]</sup></p> <p style="text-align: center;"><em><strong><img alt="дисертація 8.02.21.docx (Translated from Ukrainian: Dissertation 8.02.21.docx)" src="https://cdn.filestackcontent.com/gfg5VFc9R4mEUz9kS5pa"/><br/> Figure 5</strong> – дисертація 8.02.21.docx (Translated from Ukrainian: Dissertation 8.02.21.docx)</em></p> <p style="text-align: center;"><em><strong><img alt="Dissertation 8.02.21.docx (Translated from Ukrainian, Page 1/282)" src="https://cdn.filestackcontent.com/hwzR7HZR1W4YaWXNdvkQ"/><br/> Figure 6</strong> – Dissertation 8.02.21.docx (Translated from Ukrainian, Page 1/282)</em></p> <p>These two documents (<strong>автореферат Тертична last 8.2.docx</strong> and <strong>дисертація 8.02.21.docx</strong>) appear to be legitimate documents that were weaponized by Primitive Bear for template injection. The group likely procured them through illicit purchase or previous compromise. We found the full document was published by its author, Anna, on the literature repository site, chtyvo.org[.]ua.<sup>[5]</sup> The file was uploaded to the site on March 7, 2021, but both of the analyzed file names suggested a date of February 8, 2021 (8.2.docx) or called it out explicitly. This indicates that Primitive Bear has used access to private Ukrainian documents, weaponized them, and distributed them prior to the authorized publication of said documents.</p> <p>In hindsight, the decision for Primitive Bear to use a Ukrainian and Bulgarian-themed dissertation comes at an interesting time for Russian and Bulgarian relations. This is due to the Bulgarian government arresting six of its own members who were charged with spying for the Russian government, on March 19, 2021, according to the Bulgarian prosecutors’ statement.<sup>[6]</sup> However, Russia is known for combining cyber and real-world operations, and has been using this hybrid warfare to target Georgia in 2008 and Ukraine since at least the 2014 annexation of Crimea.<sup>[7]</sup> Therefore, it would not be unlikely to think that Primitive Bear was using Bulgaria-themed decoys before the media knew of the events, thus making the information more relevant to Ukrainian officials who knew what was transpiring.</p> <p><strong>Analyzed File</strong> – ДОПОВІДНА ЗАПСКА.docx<br/> <strong>Translated File Name</strong> – REPORT NOTE.docx<br/> <strong>SHA-256</strong> – 63da0b2abb744a5c92c3a1fff2c3e5940f5c969890f3f16fd8dca0a1363da494</p> <p style="text-align: center;"><em><strong><img alt="ДОПОВІДНА ЗАПСКА.docx (from Ukrainian: REPORT NOTE.docx)" src="https://cdn.filestackcontent.com/3UVUJWbRCCBgRPkqtLUg"/><br/> Figure 7</strong> – ДОПОВІДНА ЗАПСКА.docx (from Ukrainian: REPORT NOTE.docx)</em></p> <p style="text-align: center;"><em><strong><img alt="REPORT NOTE.docx (Translated from Ukrainian) page 1/5" src="https://cdn.filestackcontent.com/0enrGlgR66d3wHkveK2X"/><br/> Figure 8</strong> – REPORT NOTE.docx (Translated from Ukrainian) page 1/5</em></p> <p><strong>REPORT NOTE.docx</strong>, shown in Figures 7 and 8 above, purports to be an internal note by the Prosecutor General’s Office of Ukraine dated February 2021. The file includes pre-trial investigative rulesets regarding suspected terrorists. These fighters, from unrecognized regions of Donetsk People’s Republic (DPR) and Luhansk People’s Republic (LPR), have been accused of fighting against the Ukrainian government. Russia has been the de-facto controller of DPR and LPR since the regions simultaneously declared their independence from Ukraine in 2014, which makes the use of these regions ideal in decoy documents for Primitive Bear.</p> <p>The escalating tensions between Russia and Ukraine in 2021 add incentive for mentioning DPR and LPR. On January 28, 2021, DPR and LPR groups presented a doctrine dubbed “Russian Donbass,” which stated the groups’ collective desire to rejoin Russia “in order to return to our historical roots.”<sup>[8]</sup> In the subsequent months, European monitors reported an increase in Russian troop movement along the Ukraine-Russia border. Tensions boiled over in the DPR on March 30, 2021, with exchanging artillery and machine-gun fire between the factions resulting in four Ukrainians killed and one wounded.<sup>[9]</sup> This was another strong example of Primitive Bear samples themed around real-world conflicts before a significant event occurred, a strong indication of potential hybrid warfare.</p> <p><strong>Analyzed File</strong> – incoming.docx<br/> <strong>SHA-256</strong> – 82fe93b52ae5f12fad99fc533324cbf680f5777cc67b9f30dd2addeeee7527f8</p> <p style="text-align: center;"><em><strong><img alt="incoming.docx" src="https://cdn.filestackcontent.com/ABmmqPfZQzq1zfbWBQSU"/><br/> Figure 9</strong> – incoming.docx</em></p> <p style="text-align: center;"><em><strong><img alt="incoming.docx (Translated from Russian)" src="https://cdn.filestackcontent.com/KDddohWzRcC0GmDDnhcu"/><br/> Figure 10</strong> – incoming.docx (Translated from Russian)</em></p> <p>The .docx file shown in Figures 9 and 10 above is a letter allegedly from Emil Variev, a neighbor of Rustem Seytmemetov, in occupied Crimea. He referenced how Russia’s Federal Security Service (FSB) arrested him in 2020 in relation to the Hizb ut-Tahrir (extremist aim to unite all Muslim countries) case. Rustem Seytmemetov is just one of three individuals who were arrested in what Crimeans refer to as “the so-called third Bakhchisaray Hizb ut-Tahrir case,” and they are expected to remain under arrest until April 22, 2021.<sup>[10]</sup> While the decoy did not state an intended recipient, the context appears directed towards Ukrainian authorities. This is another example of Primitive Bear using documents to coincide with real-world events.</p> <h2>Conclusion</h2> <p>Primitive Bear is motivated by cyberespionage (data theft, information gathering), and this campaign demonstrates their specific targeting of regional foes with what often appears to be private documents likely obtained by illicit means. We have observed Primitive Bear using malicious .docx files to distribute .dot files for over a year, however, the remote template domains used in this campaign were down at the time of discovery. Therefore, the final payload of this campaign remains unclear at the time of this writing.</p> <h2>MITRE TTPs</h2> <p>Masquerading - T1036<br/> Phishing - T1566<br/> Spearphishing Attachment - T1566.001<br/> Template Injection - T1221<br/> User Execution - T1204<br/> User Execution: Malicious File - T1204.002</p> <h2>Endnotes</h2> <p><sup>[1]</sup> Anomali Threat Research, “Gamaredon TTPs Target Ukraine,” Anomali White Papers, accessed April 5, 2021, published December 5, 2019, https://wwwlegacy.anomali.com/files/white-papers/Anomali_Threat_Research-Gamaredon_TTPs_Target_Ukraine-WP.pdf, 1-2.</p> <p><sup>[2]</sup> Ibid., 9-11; Gage Mele and Parthiban Rajendran, “Gamaredon Spearphishing Campaign,” accessed April 5 2021, published April 20, 2020, https://ui.threatstream.com/campaign/61380.</p> <p><sup>[3]</sup> Anomali Threat Research, “Gamaredon TTPs Target Ukraine,” Anomali White Papers, 6.</p> <p><sup>[4]</sup> “#Gamaredon #APT mal doc:,” @h2jazi, https://twitter.com/h2jazi/status/1371445133560983552.</p> <p><sup>[5]</sup> Anna Tertychna, “PUBLIC DIPLOMACY IN UKRAINIAN-BULGARIAN RELATIONS (1991-2018),” CHTIVO Electronic Library, accessed April 6, 2021, published March 7, 2021, https://shron1.chtyvo.org.ua/Tertychna_Anna/Publichna_dyplomatiia_v_ukrainsko-bolharskykh_vidnosynakh_19912018.pdf?.</p> <p><sup>[6]</sup> “Bulgarian PM tells Russia to stop spying after intelligence ring charges,” Reuters, accessed April 7, 2021, published March 20, 2021, https://www.reuters.com/article/us-bulgaria-russia-espionage/bulgarian-pm-tells-russia-to-stop-spying-after-intelligence-ring-charges-idUSKBN2BC0MR; https://www.reuters.com/article/us-bulgaria-russia-espionage/bulgaria-charges-six-people-over-alleged-russian-spy-ring-idUSKBN2BB1V4.</p> <p><sup>[7]</sup> Ibid; Dave Lee, “Russia and Ukraine in cyber ‘stand-off’,” BBC News, accessed April 7, 2021, published March 5, 2014, https://www.bbc.com/news/technology-26447200; Laurens Cerulus, “How Ukraine became a test bed for cyberweaponry,” Politico, accessed April 7, published February 14, 2019, https://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/; Andy Greenberg, How an Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired, accessed April 7, 2021, published June 6, 2017, https://www.wired.com/story/russian-hackers-attack-ukraine/; David J. Smith, “Russian Cyber Strategy and the War Against Georgia,” Atlantic Council, accessed April 7, 2021, published January 17, 2014, https://www.atlanticcouncil.org/blogs/natosource/russian-cyber-policy-and-the-war-against-georgia/; Dancho Danchev, “Coordinated Rusia vs Georgia cyber attack in progress,” ZDNet, access April 7, 2021, published August 11, 2008, https://www.zdnet.com/article/coordinated-russia-vs-georgia-cyber-attack-in-progress/.</p> <p><sup>[8]</sup> “"L-DPR" presented their "doctrine": without entering Russia, but with the capture of the entire Donbass,” Novosti Donbassa, accessed April 7, 2021, published February 4, 2021, https://novosti.dn.ua/news/308202-l-dnr-predstavyly-svoyu-doktrynu-bez-vkhozhdenyya-v-rossyyu-no-s-zakhvatom-vsego-donbassa [article in Russian]; Nikola Mikovic, “The Donbass conflict: Waiting for escalation,” Lowy Institute, accessed April 7, 2021, published February 4, 2021, https://www.lowyinstitute.org/the-interpreter/donbass-conflict-waiting-escalation.</p> <p><sup>[9]</sup> Andrew E. Kramer, “Fighting Escalates in Eastern Ukraine, Signaling the End to Another Cease-Fire,” The New York Times, accessed April 7, 2021, published March 30, 2021, https://www.nytimes.com/2021/03/30/world/europe/ukraine-russia-fighting.html.</p> <p><sup>[10]</sup> “The defendants in the so-called third Bakhchisaray Hizb ut-Tahrir case had their arrest extended,” Crimean Tatar Resource Center, accessed April 7, 2021, published November 9, 2020, https://ctrcenter.org/en/news/5798-figurantam-tretego-bahchisarajskogo-dela-hizb-ut-tahrir-prodlili-srok-aresta.</p> <h2>IOCs</h2> <h3>Files</h3> <p>82fe93b52ae5f12fad99fc533324cbf680f5777cc67b9f30dd2addeeee7527f8<br/> d5d080a96b716e90ec74b1de5f42f26237ac959da9af7d09cce2548b5fc4473d<br/> e7f61cd965886e1ca75d5bd3d3140ce7c78c78c245d57c285af83711148b7472<br/> 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418<br/> 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52<br/> e12c6b63c6216338aa645b63f589d2e96e868f9b1f6402520649cfeb7c053c83<br/> f25f4a78760bf0644c06814a3439b772610d7d62f6c5efde8fb314cc58697b01<br/> 63da0b2abb744a5c92c3a1fff2c3e5940f5c969890f3f16fd8dca0a1363da494<br/> 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4<br/> fe3141950fe263f50edd8a202fe746dac736dcef91331cd4375d3ede27d5530a<br/> de1df653ca846cc3b01239c9e16c80cee52c01c921a0e8e34c2e5d4425eee715<br/> 0600f4be4dc7fe5ba4e226b797888667f5dd6138734a6333da697346e897c216<br/> 611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608<br/> 8fbea49a8b26889e9157ace2003334f56e3de7020cb099d3948df676539eb4a3<br/> e48fc5ce578d938320f9bce496015247b8c52bee04d851f44270bef8bf831696</p> <h3>Domains</h3> <p>http://download[.]logins<br/> http://download.logins[.]online/<br/> http://download[.]logins.online/wsusa<br/> http://email-smtp[.]online/<br/> http://email-smtp[.]online/preceding/<br/> http://email-smtp[.]online/preceding/rbfwaljtawm.dot<br/> http://word-expert[.]online/<br/> http://word-expert[.]online/september/<br/> http://word-expert[.]online/september/jtfqxxhzqaw.dot<br/> http://melitaeas[.]online<br/> http://melitaeas[.]online/4857E18C/countryside/prevent/<br/> http://melitaeas[.]online/4857E18C/countryside/prevent/counter.dot<br/> http://hamadryas[.]online<br/> http://hamadryas[.]online/4857E18C/almost/councilman/rejoice/<br/> http://hamadryas[.]online/4857E18C/almost/councilman/rejoice/clank.dot<br/> http://acetica[.]online<br/> http://acetica[.]online/header/precaution/precisely.dot<br/> http://acetica[.]online/presently/refuge/intention.dot<br/> http://acetica[.]online/intent/sense/guarded.dot<br/> http://mail-check[.]ru<br/> http://mail-check[.]ru/preservation/quietly/seedlings.dot<br/> http://mail-check[.]ru/refrigerator.dot<br/> http://mail-check[.]ru/prediction.dot<br/> http://mail-check[.]ru/pre.dot<br/> http://mail-check[.]ru/barrier.dot<br/> http://office360-expert[.]online<br/> http://office360-expert[.]online/intake<br/> http://office360-expert[.]online/intake/pfJwhBY.dot</p> <h3>IPs</h3> <p>172.67.136[.]62<br/> 104.21.48[.]186<br/> 185.119.58[.]61<br/> 195.161.114[.]130</p>