Cyber Threat Actor: Luhansk People's Republic (LPR) hackers
| Actor Type | Location | Known Incidents |
Spy
|
Ukraine
|
2 incidents |
|---|
Profile
The threat actor tracked as theLuhansk People's Republic hackers, also known as LPR hackers, operates from within Ukraine. Observations show that they direct their efforts toward Ukrainian military and government organizations. Their primary goal is the collection of intelligence through cyber espionage activities. Open‑source reporting indicates the group has been active for several years, maintaining a consistent focus on targets inside Ukraine. No public evidence points to a shift toward other geographic regions or sectors.
Intrusion typically begins with spear phishing emails that masquerade as correspondence from a UK defense manufacturer. These messages carry weaponized archives that contain PowerShell scripts hidden inside files that appear to be ordinary documents. Execution of the scripts delivers the RATVERMIN backdoor and, on occasion, the QUASARRAT malware. Once installed, RATVERMIN enables the actors to harvest system information, record keystrokes, monitor clipboard contents, and run arbitrary commands that allow process manipulation and file deletion. Over time the group has moved from using simple executable payloads to employing more complex lures such as malicious shortcut files, while continuing to rely on malware that has not been identified in other threat clusters.
Analysts associate the activity with the Luhansk People's Republic, describing the operators as sub‑state actors linked to a separatist region. Although a direct state sponsor has not been publicly confirmed, the demonstrated toolset shows access to advanced cyber espionage capabilities. A illustrative case took place in early 2018 when the actors launched a spear phishing wave against Ukrainian defense and government networks, deploying the malware suite described above. This operation reflects their usual pattern of using socially engineered lures to establish persistent footholds for intelligence gathering. The activity remains principally confined to Ukrainian targets, though researchers note that the methods could be adapted for use elsewhere.
