iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Palo Alto Network’s Unit 42 expert group has revealed details of a Russian-affiliated hacking group and its consistent phishing and intelligence gathering techniques.
Trident Ursa — which also operates under the names Gamaredon, Shuckworm, UAC-0010, and Primitive Bear — has been operating against Ukraine and targets in NATO since Russia invaded Ukraine in March. The Security Service of Ukraine believes the group to be tied to Russia’s Federal Security Service.
Since first discussing the group in February 2022, Unit 42 has uncovered 500 new domains and 200 samples of the group’s work.
Most strikingly, the research group found that Trident Ursa made an unsuccessful attempt to “compromise a large petroleum refining company within a NATO member nation” in August 2022.
On top of that, while the group largely targets Ukrainian speakers, it has branched out into a number of attempts to compromise English-speaking targets.
“We assess that these samples indicate that Trident Ursa is attempting to boost their intelligence collection and network access against Ukrainian and NATO allies,” Unit 42 said in a recent blog post.
The file names used by Trident Ursa as lures include MilitaryassistanceofUkraine.htm and, Necessary_military_assistance.rar. The latter, when opened, unpacks a file called “List of necessary things for the provision of military humanitarian assistance to Ukraine.lnk”.
Once such .lnk files are clicked, they download malicious files and create new user folders on infected machines. A VBSscript is then used to create a Windows scheduled task and registry key that runs every five minutes, and when a user logs in, ensuring persistent backdoor system access.
Trident Ursa has also been seen to use Word documents and other executable files to infect and monitor machines.
The group has been operating since 2014, when Russia annexed the Crimea region of Ukraine. While its operations have frequently been monitored and even caught, the sheer simplicity of its techniques allow it to simply add new methods of obfuscation, and new domains, and keep plugging away at its operations.
A Trident Ursa-affiliated individual also made a number of threats to Ukrainian cyber security experts, including doxxing one individual on Twitter, in the opening days of the invasion.
Unit 42 points out that the targeted Ukrainian specialists continued to operate and monitor Trident Ursa despite the threats.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
