Last month, a Russia-linked threat actor attempted a cyberattack in Ukraine against an entity that’s part of an unidentified western government, according to researchers in Palo Alto Networks’ Unit 42 organization.
The attempted attack took place on January 19, and was carried out by a group that Unit 42 calls Gamaredon. The group’s leadership includes five Russian Federal Security Service officers, the Security Service of Ukraine said previously.
In a blog post today, Unit 42 researchers said that Gamaredon has primarily focused its cyber campaigns against Ukrainian government officials and organizations since 2013.
The researchers said they have been closely monitoring Gamaredon’s activities because of the geopolitical situation and the group’s target focus.
The disclosure of the attempted attack came amid estimates that Russia has stationed more than 100,000 troops on the eastern border of Ukraine. On Wednesday, President Joe Biden approved sending an additional 3,000 U.S. troops to Eastern Europe.
A ‘precision’ attack
Unit 42 said it has mapped three clusters of Gamaredon’s infrastructure, which are being used to support malware and phishing activities—including more than 100 samples of malware, 700 malicious domains, and 215 IP addresses.
The attack involved a targeted phishing attempt,” Unit 42 reported.
In this attempt, rather than emailing the [malware] downloader directly to their target, the actors instead leveraged a job search and employment service within Ukraine, the researchers said. In doing so, the actors searched for an active job posting, uploaded their downloader as a resume and submitted it through the job search platform to a Western government entity.
Due to the “steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this Western government organization,” Unit 42 said in its post.
The post does not identify or further describe the western government entity. When contacted by VentureBeat today, Unit 42 said it’s not providing further details.
The attempted attack came less than a week after more than 70 Ukrainian government websites were targeted with the new “WhisperGate” family of malware.
The U.S. Department of Homeland Security (DHS) last month suggested it’s possible that Russia might be eyeing a cyberattack against U.S. infrastructure, amid tensions between the countries over Ukraine.
Kevin Breen, director of cyber threat research at Immersive Labs, said in a previous statement that we’ve seen notable ransomware groups operating out of that region, including REvil and DarkSide, with the technical ability to compromise large networks rapidly and at great scale.
It would be wrong to assume that the nation state housing such criminal elements doesn’t have a matching capability, Breen said.