Cyber Incident Victim: Hetman Petro Sahaidachnyi National Ground Forces Academy

In December 2019, Gamaredon APT intensified cyber operations against Ukrainian military and security institutions, including reconnaissance activities targeting the Hetman Petro Sahaidachnyi National Ground Forces Academy. The group deployed malware implants across Ukrainian governmental entities, compromising over 5,000 unique victims near the separatist conflict line in eastern Ukraine. Attacks expanded beyond traditional cyber-espionage to target physical military infrastructure, including field artillery systems. SentinelLabs researchers documented the campaign's evolution, noting Gamaredon's upgraded toolset featured modified Pterodo malware distributed via self-extracting ZIP archives. These archives contained batch scripts, .NET components, and macro payloads designed to conduct system reconnaissance. The malware collected host data, established persistent communication with command-and-control servers, and awaited additional operational directives from attackers.

The updated Pterodo variant incorporated Microsoft.Vbe.Interop for enhanced macro execution, utilizing obfuscated .NET applications to bypass security measures. Attackers manipulated registry settings to disable Visual Basic for Applications warnings and enable macro execution without user alerts. Malware components employed forged Microsoft Time-Stamp Service digital certificates to appear legitimate. Gamaredon infrastructure utilized Nginx forwarders and dynamic DNS providers to route victim traffic, complicating detection efforts. Campaign analysis confirmed the group's exclusive focus on Ukrainian national security targets, with compromised systems spanning government agencies and military training institutions. The operations demonstrated integration of cyber capabilities with conventional battlefield tactics in the ongoing eastern Ukraine conflict zone since 2014.