CyberWire Daily - Primitive Bear spearphishes for Ukrainian entities. [Research Saturday]
Episode Date: June 19, 2021Guests Gage Mele and Yury Polozov join Dave to talk about Anomali's research "Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes." Anomali Threat Research identified malicious samples that ...align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs). Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples Anomali found, as well as those shared by the security community, could also be used to target multiple former Union of Soviet Socialist Republic (USSR) countries. Anomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through spearphishing, that attempted to download remote template .dot files through template injection. The research can be found here: Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Primitive Bear is an interesting group in that they primarily focus on Ukrainian entities and individuals.
So you see a lot of their malicious documents are themed around these government entities.
Our guests this week are Gage Mealy and Yuri Polozov.
They are both members of Anomaly's threat research team. The research we're discussing is titled
Primitive Bear, Gamerodon Targets Ukraine with Timely Themes.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions
of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year
increase in ransomware attacks and a $75 million record payout in 2024. These traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily Zscaler Zero Trust Plus AI Thank you. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And they like to use template injection.
That's Gage Mealy.
So typically they'll have a docx file that'll reach out to a domain to download a template.
And then unfortunately, in this case, the template domains were down.
So we don't know what the.dot files exactly were doing.
In previous activity, these.dot files contained a VBScript.
And then these VBScript would begin the infection chain.
But unfortunately, in this case, we're not sure,
but we wanted to show that they're still using these TTPs,
and in this case, in quite a timely manner as well.
And Primitive Bear, we are confident in saying, is a Russian group.
Yes, absolutely.
That's Yuri Polozov.
Some open source reporting even connects them directly
to Russia's Federal Security Service, or FSB.
So it was some irony to see some of the decoy documents
that we show in this paper actually referring to FSB
as a topic. Well, let's walk through it together. I mean, let's go through step by step. If someone
found themselves in the target of this group, what would happen? Can you take us through it?
of this group, what happened? Can you take us through it? Sure, yeah. They operate typically through spear phishing. There's likely other ways they accomplish their objectives, but usually
they'll do spear phishing, so something that looks legitimate to someone. And in this case,
it was timely to current events that were taking place in Ukraine and Russia with the military troop buildup at that time.
So they'll use things specific to that timeframe to appear more authentic.
And then as soon as you click and open that file,
it tries to download that remote template.
And if that succeeds, potentially bad news for you.
So at that point, it would try to get a second stage payload
that would be the actual malware itself, we suspect?
Correct.
That.dot file is where the bad stuff lives.
I see.
And in this case, as you say,
the servers to deliver that were not up and running,
so the exploration sort of ended there.
Unfortunately, yes. These groups are smart in that case.
Well, they'll have some dedicated infrastructure.
They'll turn it on, launch a campaign, turn it off.
Yeah, and the same about the decoy documents.
They're very sophisticated.
All the search that we did showed that the data like sensitive contact information in those decoy documents were accurate.
For example, some of them were referring to Ukrainian embassies in different countries or some military exercises and related phone books to it.
And it was always timed.
Often timestamp in the document was very close,
typically the same month that actually attack happened.
that actually attack happened.
And one document in particular,
it was some,
decoy was some scientific paper about Ukrainian public relationships
with different country.
And so researchers saw this decoy used in attack.
And then similar, So researchers saw this decoy used in attack.
And then similar, pretty much the same document that was used as decoy was published publicly in Ukraine,
but not before.
And the fact that we saw that it's an actual scientific paper,
but it was published after Primitive Bay used it
so that way we know that they actually
have some way of stealing
real Ukrainian documents
and using them
weaponizing them
to use them in their
attacks rather than
another option would be
to just
to create some fake document based on known facts,
but it seems they use some other stream of stolen documents for their purposes.
Yeah, that's an interesting lure there.
I mean, you can imagine if someone was interested in the content of this sort of scientific document
and they were able to get it ahead of other people, you know, sort of hot off the presses, if you will,
that you could really imagine that working as clickbait.
Yes, absolutely. And we saw them using all kinds of topics for the U.S.,
some legal questions, some questions around occupied Crimea.
And Crimea is a diverse region, so they would use different languages.
They would use Ukrainian, but sometimes they use Russian as well
because many people in eastern Ukraine and Crimea, they speak Russian.
So all kinds of lures that they use and experiment with.
But some of the documents themselves, they are legitimate documents.
So they're stealing them or borrowing them from
other sources and
using the legitimacy of those documents
to try to get people to click through.
Yes, absolutely.
And it makes
it harder
to
detect with
human eye because
it's actually a real document that was used.
Right, right.
So in terms of people protecting themselves against this,
what do you recommend?
Is this something where endpoint protection
would be able to notice that something was up?
Yeah, I think potentially.
You know, strange email addresses.
So tools like that are always helpful. But a lot of it is just education on, you know,
something seems too good to be true. You know, for instance, early access to something, you know,
maybe it is. And if you get an email from someone, maybe you should email that again and confirm
that it was sent to you. A lot of sophisticated groups, unsophisticated groups, groups of all kinds,
use a lot of social engineering as that initial infection chain,
because it works, unfortunately.
Right.
In terms of primitive bear themselves,
I suppose there's no reason to believe that they'll do anything
other than keep at what they're doing.
I mean, it seems like they've had some success, and I suppose we should expect to see more from them in the future.
Yes, they've been busy.
And I'm sure they use, you've seen research from other researchers out there, which is really good stuff as well.
And different TTPs, it just so happens that this campaign was dedicated to these
docx files, but other TTPs are very likely in
primitive bears, or are in primitive bears' repertoire.
And of course, after this research, we already saw
new examples of the activity, but
generally, Russian cyber activity
is often part of larger geopolitical or military activities.
So earlier this year,
when fighting in eastern Ukraine was intensifying
and Russia was moving troops closer to the Ukrainian border,
that's why we saw this campaign being more active
and it was an interesting timing.
And also it was important that international communities
saw Russia moving its troops
but also saw Russia sending malicious emails towards Ukraine.
And it prompted a stronger than usual response.
And now most of those loops moved back, at least for now.
And it's not the end of the story.
Putin will continue trying to expand his empire, so to say.
But it's very weird.
Our thanks to Gage Neely and Yuri Polozov
from Anomaly's threat research team.
The research is titled Primitive Bear, Gamerodon Targets Ukraine with Timely Themes.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. The CyberWire Research Saturday is proudly produced in Maryland out
of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Volecky, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.