Cyber Incident Victim: Defence ministry and other institutions in Ukraine
Date:
Jan 2018
Location:
Ukraine
Summary
A hacker group associated with the Luhansk People's Republic targeted Ukrainian defense and government entities through spear phishing campaigns deploying the RATVERMIN backdoor. The attacks used malicious emails impersonating a UK defense manufacturer, attaching weaponized archives containing PowerShell scripts disguised as document files to deliver the malware. RATVERMIN enabled extensive espionage capabilities, including system information theft, keystroke logging, clipboard monitoring, and remote execution of commands for activities like process manipulation and file deletion. Researchers noted the group historically focused on Ukrainian targets, evolving from basic executable payloads to more sophisticated methods like malicious shortcut files, leveraging unique malware not observed elsewhere. While definitive attribution remains uncertain, the activity highlights sub-state actors' access to advanced cyber espionage tools, posing persistent threats primarily within Ukraine but with potential broader implications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involved a sustained cyber espionage campaign targeting Ukrainian military departments and government entities, first identified in 2018 and continuing into 2019. FireEye Threat Intelligence discovered that attackers employed spear phishing emails impersonating United Kingdom defense manufacturer Armtrac, attaching malicious archives containing disguised PowerShell dropper scripts. These scripts deployed the RATVERMIN backdoor, a .NET-based Remote Access Tool previously analyzed by Palo Alto Networks' Unit 42 in January 2018. The threat group, active since at least 2014 according to malware compile time analysis, shifted tactics from using standalone EXE and self-extracting RAR files in 2018 to more sophisticated malicious LNK files in 2019. Attackers concealed their payloads using a multi-stage delivery method: phishing emails contained a ZIP archive named Armtrac-Commercial.7z holding two legitimate Armtrac documents alongside a malicious LNK file disguised as a PDF with a Microsoft Word icon. Execution triggered a PowerShell script that installed the backdoor.
RATVERMIN provided comprehensive surveillance capabilities, including system information collection, keystroke logging, clipboard monitoring, and encrypted data exfiltration. The malware enabled remote execution of commands for process manipulation, audio recording, screenshot capture, file deletion, and self-updating functionality. FireEye researchers linked the group to the Luhansk People's Republic (LPR) based on targeting patterns and infrastructure analysis, though noted insufficient evidence for definitive attribution. The campaign demonstrated increased technical sophistication over time, incorporating open-source QUASARRAT alongside the proprietary RATVERMIN malware not observed in other threat groups. While primarily impacting Ukrainian entities, researchers highlighted historical precedents where initially localized threats against Ukraine evolved into international security concerns, warranting continued monitoring of the group's activities. The incident underscored the persistent targeting of Ukrainian defense infrastructure by regionally-aligned threat actors employing commercially accessible cyber espionage tools.