A hacking group the Ukrainian government says is a unit of Russian intelligence attempted earlier this year to compromise a large petroleum refining company based inside a NATO member, new research charges.
The group, variously dubbed Gamaredon, Primitive Bear, or UAC-0010, has been active since around the time that Russian aggression sparked ongoing conflict in Ukraine, in 2014 or 2013.
A Ukrainian assessment traces the group to the self-proclaimed “Office of the FSB of Russia in the Republic of Crimea and the city of Sevastopol” and says its staff includes former Ukrainian law enforcement officials.
Trident Ursa, as Palo Alto Networks’ Unit 42 threat intelligence calls the threat actor, is “one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine,” the company says in a Tuesday report detailing the threat actor’s recent activities.
In tandem with Russia’s breakdown in relations with the West sparked by its February invasion of Ukraine, Palo Alto Networks researchers say Gamaredon expanded operations into intelligence gathering on NATO allies.
Hence the attempted compromise of an unidentified petroleum refining company in an unidentified nation that’s a member of the military alliance. That broadening of targets is reflected in the group’s adoption of English language phishing lures as well as its standard Ukrainian language messages, researchers say.