Cyber Incident Victim: KP in Ukraine
Date:
Nov 2018
Location:
Ukraine
Summary
Ukrainian government agencies were targeted by a new variant of the Pterodo backdoor malware, associated with the Gamaredon threat group, designed to collect system data and establish communication with command-and-control servers for potential follow-on attacks. The malware selectively activates on systems with specific language localizations, complicating automated analysis, and generates unique URLs for data exfiltration based on infected hardware identifiers. Separately, a Cozy Bear campaign utilized spear-phishing emails impersonating a US State Department official to infiltrate US government entities, think tanks, and businesses, leveraging malware historically linked to breaches of political organizations and NATO-affiliated targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In November 2018, Ukraine's Computer Emergency Response Team (CERT-UA) and the Foreign Intelligence Service of Ukraine identified a new variant of the Pterodo backdoor malware targeting government agency computers. The malware, also known as Pteradon, was linked to the Gamaredon threat group, which historically focused on Ukrainian military and government entities using readily available tools. CERT-UA issued an alert stating the discovery likely represented preparatory activity for an imminent cyberattack. The backdoor collected system information from infected Windows machines and transmitted it regularly to attacker-controlled command-and-control (C2) servers while awaiting additional instructions. The malware's operation was conditional, activating exclusively on systems with language settings for Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar, and other languages associated with former Soviet republics—a feature designed to complicate automated analysis by certain security tools.
The updated Pterodo variant generated unique C2 URLs based on the infected system's hard drive serial number, enabling attackers to tailor subsequent payload deployments after reviewing uploaded victim data. Identified C2 domains included updates-spreadwork.pw, dataoffice.zapto.org, and bitsadmin.ddns.net. Concurrently, the article referenced unrelated activity by the Cozy Bear threat group (also known as The Dukes), which conducted spear-phishing campaigns impersonating a US State Department official named Susan Stevenson. Cozy Bear historically targeted US government entities, NATO-aligned organizations, think tanks, and businesses, including the 2016 Democratic National Committee breach. While both Gamaredon and Cozy Bear operated with Russian affiliations, the article did not establish operational coordination between these groups in this specific incident. Ukrainian authorities provided no additional details regarding containment measures, victim counts, or specific data exfiltrated beyond the confirmed presence of the malware on state systems.