Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Russian Hackers Targeted Oil Refinery Firm in NATO Country

'Gamaredon,' Tied to FSB, Expands Intelligence Ops as Invasion of Ukraine Persists
Russian Hackers Targeted Oil Refinery Firm in NATO Country
Gas leaks from the Nord Stream 2 pipeline into the Baltic Sea after the September 2022 explosion (Image: Danish Defense)

A hacking group the Ukrainian government says is a unit of Russian intelligence attempted earlier this year to compromise a large petroleum refining company based inside a NATO member, new research charges.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The group, variously dubbed Gamaredon, Primitive Bear, or UAC-0010, has been active since around the time that Russian aggression sparked ongoing conflict in Ukraine, in 2014 or 2013. A Ukrainian assessment traces the group to the self-proclaimed "Office of the FSB of Russia in the Republic of Crimea and the city of Sevastopol" and says its staff includes former Ukrainian law enforcement officials.

Trident Ursa, as Palo Alto Networks' Unit 42 threat intelligence calls the threat actor, is "one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine," the company says in a Tuesday report detailing the threat actor's recent activities.

In tandem with Russia's breakdown in relations with the West sparked by its February invasion of Ukraine, Palo Alto Networks researchers say Gamaredon expanded operations into intelligence gathering on NATO allies. Hence the attempted compromise of an unidentified petroleum refining company in an unidentified nation that's a member of the military alliance. That broadening of targets is reflected in the group's adoption of English language phishing lures as well as its standard Ukrainian language messages, researchers say.

The Ukrainian assessment and Palo Alto's report agree the group relies highly on phishing as a malware vector. It infects computers by coaxing users into opening attached HTML files, clicking on a seemingly benign link or opening a Word document. A phishing sample with a low detection rate on VirusTotal examined by Palo Alto found the Word attachment itself contained no malicious code. Rather, it downloaded a remote template containing a macro that then ran malicious code.

European reliance on Russian fossil fuels quickly emerged as a pressure point for Moscow in its attempt to tamp down Western support for Ukraine. In the years leading up to the February invasion, Europe collectively received about half its gas imports from Russia. An intensive effort to diversify the supply followed the invasion, and the United States in particularly increased shipments of liquefied natural gas.

Undersea pipelines known as Nord Stream 1 and 2 meant to carry natural gas from Russia to Germany exploded in late September in incidents that Danish and Swedish authorities said were the deliberate result of explosives. The Russian government dismissed as "stupid" claims that it was involved in the detonations, Reuters has reported.

One way Gamaredon stays resilient in the face of countermeasures is by rapidly swapping out the IP addresses for its domains in a technique known as DNS fast flux. It also attempts to obfuscate its operational IP addresses by seeding fast flux DNS tables with fake domains and using subdomains to carry out attacks, Palo Alto says. The company says the vast majority - nearly 96% - of Gamaredon's attack domains are registered using the Russian company

The group bypasses security measures such as malicious domain blocking by using the Telegram Messenger social media network for malware command and control.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.