Cyber Incident Victim: Dnipro Control System
Date:
Oct 2019
Location:
Ukraine
Summary
A Russia-linked Gamaredon group conducted cyberespionage operations targeting Ukrainian entities, including the Dnipro Control System, using spear-phishing campaigns with weaponized documents. Attackers employed template injection to retrieve malicious .dot files from remote servers, executing VBA macros that deployed persistent VBScripts via startup folders. These scripts initiated staged payload delivery after system reboots, selectively deploying encrypted second-stage malware only on systems deemed valuable to the threat actors. The campaign focused on infiltrating government, military, law enforcement, and diplomatic sectors to facilitate strategic intelligence gathering, aligning with known Russian state-sponsored objectives in the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Russia-linked Gamaredon cyberespionage group conducted a sustained campaign targeting Ukrainian entities between mid-October and late November 2019. Security firm Anomali documented spear-phishing attacks against diplomats, government employees, military personnel, law enforcement, journalists, NGOs, and specific organizations including the Dnipro Control System and Ukraine's Ministry of Foreign Affairs. Attackers distributed weaponized documents appearing to originate from legitimate sources, with three confirmed lures: one discussing General Staff requirements for visual agitation improvements at Dnipro Control System, another impersonating media watchdog Detector Media, and a third targeting foreign affairs officials. The initial infection vector utilized template injection rather than embedded macros, causing documents to retrieve malicious .dot templates from remote servers when opened. This activity represented a continuation of Gamaredon operations first observed in 2013, with Ukrainian CERT reporting similar military-targeted campaigns earlier in 2019.
The technical execution involved downloaded document templates executing VBA macros that wrote VBScripts to system startup folders. Upon reboot after approximately 181 seconds, scripts contacted dynamic DNS domains to request encrypted second-stage payloads. Attackers implemented conditional payload delivery, only deploying additional malware after verifying target value through victim profiling. Unselected systems had attack artifacts systematically erased. Analysis confirmed infrastructure and tactics aligned with Gamaredon's historical patterns, including chained SFX archives and Matryoshka-style nested payload structures observed in prior campaigns. Security researchers Cybaze-Yoroi and Anomali attributed the activity to Russian state interests based on target alignment with Kremlin geopolitical objectives in Ukraine and technical consistency with known Gamaredon tradecraft. The campaign demonstrated ongoing Russian cyber operations against Ukrainian critical infrastructure and government bodies during the documented period.