Cyber Incident Victim: Armed Forces of Ukraine
Date:
Jan 2018
Location:
Ukraine
Summary
A spear phishing campaign targeted Ukrainian military departments using malicious emails impersonating a UK defense manufacturer to deliver a PowerShell script disguised as a document, ultimately deploying the RATVERMIN backdoor. The attackers utilized compressed archives containing legitimate documents to enhance credibility, while the malware collected system information, keystrokes, clipboard data, and enabled remote execution of commands including process manipulation, audio capture, and file deletion. The activity, linked to a group associated with the Luhansk People's Republic, demonstrated increased sophistication by leveraging LNK files and unique malware not observed elsewhere, continuing a pattern of cyber espionage primarily focused on Ukrainian entities. Researchers noted the operation highlighted accessible cyber capabilities for sub-state actors, with potential broader implications despite its regional focus.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2018 and April 2019, a hacker group linked to the self-proclaimed Luhansk People's Republic conducted a persistent cyber espionage campaign against multiple departments within the Armed Forces of Ukraine. The initial 2018 attacks employed standalone executable files or self-extracting RAR archives to deliver malware payloads. By early 2019, the group increased operational sophistication by shifting to spear phishing emails impersonating communications from Armtrac, a legitimate United Kingdom-based defense manufacturer. These emails contained malicious LNK files disguised as PDF documents bearing Microsoft Word icons, which executed PowerShell scripts upon opening to deploy secondary payloads. Additional decoy documents copied from Armtrac's official website were compressed within nested ZIP and 7z archives named "Armtrac-Commercial.7z" to enhance credibility and bypass security filters.
The final payload consisted of two custom backdoors: the open-source QUASARRAT malware and a proprietary .NET-based Remote Access Tool named RATVERMIN, first documented by Palo Alto Networks Unit 42 in January 2018. RATVERMIN harvested system information, recorded all keystrokes and clipboard content through an integrated keylogger, and encrypted collected data before exfiltration. The malware enabled attackers to execute commands for process manipulation, audio recording, screenshot capture, file deletion, and self-updating mechanisms. FireEye Threat Intelligence attributed the campaign to actors active since at least 2014 based on malware compilation timestamp analysis, noting their exclusive use of RATVERMIN among known threat groups. While definitive attribution remained inconclusive, technical evidence suggested the group operated as a sub-state entity primarily targeting Ukrainian entities, with historical patterns indicating potential future expansion beyond regional boundaries. The incident demonstrated adaptive tradecraft through evolving initial access techniques and leveraging of both open-source and proprietary malware tools.