Cyber Incident Victim: Government of Ukraine
Date:
Nov 2018
Location:
Ukraine
Summary
Ukrainian authorities detected a new variant of the Pterodo backdoor malware targeting government systems, warning of an impending large-scale cyberattack linked to Russian actors. The malware, associated with the Gamaredon threat group, collected system information and transmitted it to command-and-control servers while awaiting further instructions. It selectively activated on Windows systems using specific former Soviet-associated language localizations to hinder analysis. The backdoor generated unique URLs based on infected devices' hard drive serial numbers, facilitating tailored follow-on attacks through domains such as updates-spreadwork.pw and dataoffice.zapto.org. This activity represented preparatory stages for potential remote deployment of additional malicious tools against critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late November 2018, Ukraine's Computer Emergency Response Team (CERT-UA) and the Foreign Intelligence Service of Ukraine identified a new variant of the Pterodo backdoor malware on government agency systems. The malware, also known as Pteradon, was linked to the Gamaredon threat group—a known actor using commercially available tools to target Ukrainian military and government entities. CERT-UA issued an alert stating the infection likely represented preparatory activity for an impending cyberattack. The modified Pterodo variant functioned as a reconnaissance tool, systematically harvesting system information from compromised Windows devices and transmitting this data to attacker-controlled command-and-control servers. The malware specifically activated only on systems configured with language localizations tied to former Soviet states, including Ukrainian, Russian, Belarusian, Armenian, Azerbaijani, Uzbek, and Tatar—a feature designed to complicate automated analysis by certain security tools. This targeting suggested a deliberate focus on regional victims.
The updated Pterodo malware generated unique command-and-control URLs based on the infected system's hard drive serial number, enabling attackers to tailor follow-on payloads. Identified command domains included updates-spreadwork.pw, dataoffice.zapto.org, and bitsadmin.ddns.net. While Ukrainian authorities did not specify the exact number of compromised systems, they confirmed infections across multiple state authorities. Concurrently, a separate campaign attributed to the Cozy Bear advanced persistent threat group (also known as "The Dukes") was observed using spear-phishing emails impersonating a U.S. State Department official named Susan Stevenson. This group, historically linked to intrusions at the Democratic National Committee in 2016 and post-2016 U.S. election targeting of NGOs, focused on U.S. government entities, think tanks, and private sector organizations. Ukrainian officials emphasized the distinction between these activities, highlighting Pterodo's immediate threat to their infrastructure while noting Cozy Bear's broader geopolitical targeting patterns. The incident prompted heightened defensive monitoring by Ukrainian cybersecurity agencies but did not disclose specific containment measures beyond initial detection.