‘Gamaredon’ hackers target Ukrainian officials amid rising Russian tensions

Russian hackers have a long history of going after organizations in Ukraine, but one group especially has tunnel vision for the former Soviet republic. And recently, it looks like those hackers returned with a new campaign targeting Ukrainian government officials, threat researchers say.

Gamaredon — also known as Primitive Bear — is behind the malicious cyber activity, Anomali concluded with “high confidence” in research shared with CyberScoop in advance of its publication.

The campaign first appeared in January and ran through at least mid-March, Anomali said. Publication of the research coincides with escalating tensions between the two nations, with a Russian troop buildup along the Ukrainian border.

“This one is interesting because the alignment of real world events is just another indication of potential hybrid warfare that Russia is known to engage in,” said Gage Mele, lead cyber threat intelligence analyst at Anomali.

It caps a busy period for Gamaredon, which Cisco Talos said in February wasn’t just paying attention to Ukraine.

Anomali said the latest campaign’s goals were unclear, because the remote template domains it used were down at the time of discovery.

The suspected Russian hackers capitalized on current events as part of the likely spearphishing attempts. One legitimate-appearing document in the campaign is a Bulgarian-themed dissertation, during a time when Bulgarian prosecutors charged six Bulgarian government officials with spying for Russia.

“It would not be unlikely to think that Primitive Bear was using Bulgaria-themed decoys before the media knew of the events, thus making the information more relevant to Ukrainian officials who knew what was transpiring,” the research reads.

And Anomali predicted that the hackers could re-use the malicious files to go after government officials in other countries, too.