A Russian-linked hacking group targeting Ukraine had unsuccessfully tried to hack a large refining company within a NATO member nation at the end of August while the country was under attack, according to a report by U.S. cybersecurity firm Palo Alto Networks’ Unit 42.
According to the Unit 42 researchers, the unsuccessful hack carried out on August 30, 2022, has been attributed by Ukraine’s Security Service to Russia’s Federal Security Service (FSB). However, neither the NATO country nor the petroleum refining company has been identified in the report.
Trident Ursa, as Palo Alto Networks’ Unit 42 calls the hacking group, is “one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine” and has been active since at least 2014.
Previously, this advanced persistent threat group (APT) has also been dubbed Gamaredon, UAC-0010, Primitive Bear, and Shuckworm, and is primarily known for its intelligence-gathering operations through phishing.
Besides its standard Ukrainian language messages, the hacking group was using these English-named files containing words like “military assistance,” to boost its “intelligence collection and network access against Ukrainian and NATO allies,” reported Unit 42.
“As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer,” Palo Alto Networks Unit 42 said in the report.
According to Unit 42 researchers, they have mapped more than 500 new domains, 200 samples, and other Indicators of Compromise (IoCs) that support Trident Ursa’s different spear-phishing campaigns and malware purposes in the past 10 months. They have also observed multiple shifts in their tactics, techniques, and procedures (TTPs) in the past 10 months.
“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again — often even reusing previous samples,” the report notes.
Some of the filenames used in the unsuccessful attack were: MilitaryassistanceofUkraine.htm, Necessary_military_assistance.rar, and details of essential things needed for the provision of military humanitarian assistance to Ukraine.lnk.
Besides cyberattacks, an individual who appeared to be involved with the Gamaredon group threatened to harm a Ukraine-based cybersecurity researcher after they highlighted IoCs linked to the hacking group’s activity following the initial military invasion in February 2022.
To improve the efficacy of its campaigns, the Gamaredon group also used Telegram pages to look up command-and-control (C2) servers to bypass security measures as well as the fast flux DNS technique to stay resilient in the face of countermeasures by rapidly swapping out the IP addresses for its domains, making it hard to deny listing of IP addresses associated with it.
“Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts – along with a significant amount of obfuscation – as well as routine phishing attempts to successfully execute their operations,” the researchers conclude.