Cyber Incident Victim: Ministry of Defence of Ukraine
Date:
Jan 2018
Location:
Ukraine
Summary
A spear phishing campaign impersonating a UK defense manufacturer delivered malicious files to Ukrainian military entities, deploying the RATVERMIN backdoor and QUASARRAT malware. The attack involved disguised PowerShell scripts and compromised documents to steal sensitive data, including keystrokes and system information, while enabling remote execution of commands. The threat actors, active for several years with apparent ties to a separatist region, demonstrated evolving tactics but remained focused on Ukrainian targets, highlighting concerns over regional cyber espionage capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2018, a hacking group associated with the Luhansk People's Republic (LPR) initiated a spear phishing campaign targeting multiple Ukrainian military and defense entities. The attackers impersonated Armtrac, a United Kingdom-based defense manufacturer, to distribute malicious emails containing weaponized attachments. These emails carried compressed archive files (ZIP within 7z format) named "Armtrac-Commercial.7z," which contained legitimate documents from Armtrac's website alongside malicious components. The primary payload was disguised as a PDF file with a Microsoft Word icon, but actually functioned as a Windows LNK shortcut file that executed a PowerShell script upon opening. This script delivered a second-stage payload—either the open-source QUASARRAT malware or a custom .NET backdoor called RATVERMIN. The group had previously used standalone EXE and self-extracting RAR files in 2018 but shifted to more sophisticated LNK-based delivery in subsequent campaigns.
FireEye Threat Intelligence discovered the activity, noting the group had operated since at least 2014 with a consistent focus on Ukrainian targets. RATVERMIN, first identified by Palo Alto Networks' Unit 42 in January 2018, functioned as a remote access tool (RAT) capable of harvesting system information, logging keystrokes, capturing clipboard data, and encrypting collected information before exfiltration. The malware allowed attackers to execute commands on compromised systems, including process manipulation, audio recording, screenshot capture, file deletion, and self-updating mechanisms. The campaign's objective appeared centered on cyber espionage, with stolen data potentially aiding military or strategic intelligence gathering. Researchers highlighted the group’s access to competent offensive capabilities despite its sub-state affiliation and warned that similar Ukraine-focused threats had previously escalated into broader international security concerns. No specific remediation actions by Ukrainian authorities or victim organizations were disclosed in the reporting.