Government

Possible APT attacks against Ukraine expand to target journalists, researchers say

Previous research into Gamaredon determined that hackers included Russian phrases that, when translated into English, insulted Americans.

By Jeff Stone

December 9, 2019

Representatives of the media film Feb. 26, 2019, at an appearance in Kyiv, Ukraine, by Amb. Kurt Volker, the U.S. special representative for Ukraine negotiations. (U.S. Embassy Kyiv Ukraine / Flickr)

A suspected Russian hacking campaign that’s resulted in attacks against Ukrainian military and government agencies also has affected journalists, law enforcement and nongovernmental organizations, according to new findings.

Gamaredon, a hacking group that has been active since 2013 and mostly haunted Ukrainian government targets, has broadened its reach within that country, the threat intelligence company Anomali said in research published Dec. 5.

Anomali did not identify any Gamaredon targets by name, other than the Ministry of Foreign Affairs, and said it remains unclear if attackers successfully have breached the targeted people and organizations.

The attempted attacks were ongoing as of Dec. 6 after beginning in mid-September, Anomali said. If Gamaredon is behind the hacking attempts, as Anomali has assessed, the campaign represents an expansion of the group’s interests.

The advanced persistent threat (APT) group, which Fortinet previously reported has “strong Russian ties,” based on a language analysis, has sought to breach Ukrainian public sector organizations with malicious emails that mentioned Crimea or Volodymyr Zelenskiy, Ukraine’s president.

In a November 2018 alert, Ukraine’s Computer Emergency Response Team and Foreign Intelligence Service said they detected an uptick in attacks relying on the Pterodo malware. That hacking tool, which is associated with Gamaredon, collects system data, perhaps as part of reconnaissance for later attacks, the alert said.

These attempts utilized Dynamic Domain Name Server domains for command and control servers, and the programming language Visual Basic for Applications to spread malware.

In one case, Anomali researchers received a submission from Detector Media, a media watchdog, which discussed a Ukrainian reporter from the Kyiv Post, an investigative outlet. The note suggested that the journalist, Anna Myroniuk, had received threatening SMS messages from militia fighters based in Luhansk, an area of Eastern Ukraine Russia has sought to absorb. The threatening messages suggested that multiple reporters who had applied to work in combat zones had their contact information leaked, and that fighters in Luhansk were trying to intimidate journalists.

An unrelated analysis of Gamaredon activities published by Fortinet in August determined that a close analysis of the files included in a previous attack contained a Russian phrase that translates to “American bastards.”