Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes

Russia-Sponsored Group Employs Apparently Legitimate Documents Aligned to Growing Hostilities Between Russia and Ukraine


Authored by: Gage Mele, Yury Polozov, and Tara Gould


Key Findings


Anomali Threat Research discovered a campaign targeting Ukrainian government officials with malicious files that could be repurposed to target government officials of other countries.
We assess with high confidence that this activity was conducted by Russia-sponsored cyberespionage group Primitive Bear (Gamaredon).
Primitive Bear was observed distributing .docx files that attempted to download a .dot file via remote templates.
The campaign appears to have taken place from January through at least late March 2021, and used decoy documents themed around current events. These documents also showed that Primitive Bear likely used unauthorized access or illicit purchase of private documents prior to their publication.
The final objective of this campaign remains unclear because the remote template domains were down at the time of discovery.

Overview


Anomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs).[1] The group was distributing .docx files that attempted to download .dot files from remote templates. The final objective of this campaign remains unclear as the remote template domains were down at the time of discovery. We observed Primitive Bear activity in late 2019, and again in April 2020, during which time they used similar TTPs and Ukrainian government-themed decoys.[2] In those campaigns, Primitive Bear’s decoys loaded a remote template to drop a .dot file that would determine if the compromised machine was worthy of a second-stage payload.[3]


Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples we found, as well as those shared by the security community, could also be used ..