A Russian-linked hacking group attempted to infiltrate a petroleum refining company in a NATO member state in late August, according to a report by Palo Alto’s Unit 42.
The attempted intrusion, which appears to have been unsuccessful, occurred on Aug. 30 and was carried out through spear phishing emails using English-named files containing words like “military assistance,” according to the report, which provides an update on the activities since the start of the Russian invasion of Ukraine of a hacking group Palo Alto tracks as “Trident Ursa.”
The report on Trident Ursa’s latest movements comes on the heels of a warning from National Security Agency Cyber Director Rob Joyce that Russian state-backed hackers may target the energy sector in NATO countries in coming months.
These attacks, Joyce said, may have “spillover” impacts for Ukraine’s neighbors — like Poland, where Microsoft recently warned that Russian-backed hackers have stepped up attacks on the country’s logistics industry, a key enabler of the Ukrainian war effort.
Linked to Russia’s Federal Security Service and active since at least 2014, Triton Ursa is also known as “Gamaredon” or “Armageddon” and is primarily known for its intelligence gathering operations through phishing. The group has been heavily active since the start of the Ukraine war and has previously tried to phish Ukrainian entities.
The report from Unit 42 assesses that the likely goal of infiltrating a petroleum refining company was to increase “intelligence collection and network access against Ukrainian and NATO allies.”
Unit 42 researchers told CyberScoop in an email that even though they believe Trident Ursa is made up of less than 10 individuals, the hacking group remains one of the most “pervasive, intrusive, continuously active and focused APTs targeting Ukraine.”
“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again — often even reusing previous samples,” the report notes.
Trident Ursa isn’t technically sophisticated, researcher say, and instead relies on lures and publicly available tools. The group utilizes geo-blocking to limit their attacks, only letting users in targeted countries download malicious files, which reduces the visibility of their attacks and makes their campaigns more difficult to identify.
The Russian hacking group also has some unique tendencies in picking domain names referencing pop culture. Some of the domains includes U.S. basketball teams, well-known rock bands such as Metallica and Papa Roach and names of characters from the popular TV show “The Big Bang Theory,” Unit 42’s researchers told CyberScoop.
The group also has a habit of trolling its opponents and attacking them online. Shortly after the Russian invasion of Ukraine, a member of Trident Ursa known as “Anton” threatened Ukrainian researchers on Twitter, saying “I’m coming for you.” Subdomains used by the group appear to have been named after a Ukrainian cybersecurity researcher.
“To their credit, the targeted researchers were undaunted, and tweeted additional Trident Ursa IoCs over the weeks following these threats,” the report notes.