Russian cyberwar operations by Trident Ursa or APT Gamaredon have remained active since the Ukraine invasion. In addition, there was an attempted attack on a major oil refinery in a NATO member state.
Ukraine has faced escalating cyber threats from Russia since early February, when Palo Alto Networks' Unit 42 reported extensively on the APT group Trident Ursa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm). Trident Ursa is a group affiliated with the Russian domestic intelligence agency FSB. As the conflict continues on the ground and in cyberspace, Trident Ursa remains one of the most widespread, continuously active and targeted APTs targeting Ukraine.
500 new domains as an attack platform
Given the current geopolitical situation and the specific target focus of this APT group, Unit 42 researchers continue to actively seek indicators of operations. In doing so, they have identified over 500 new domains, 200 samples and other IoCs (Indicators of Compromise) supporting Trident Ursa's various phishing and malware targets over the past ten months. While monitoring these domains as well as open source information, the researchers noticed several notable activities:
- An unsuccessful attempt on August 30, 2022 to compromise a major refiner in a NATO member state.
- A person apparently related to Trident Ursa threatened a Ukrainian cybersecurity researcher immediately after the initial invasion.
- Several Tactics, Techniques, and Procedures (TTPs) changes.
findings of the investigation
Trident Ursa remains an agile and adaptable APT that does not employ overly sophisticated or complex techniques in its operations. In most cases, the group relies on publicly available tools and scripts—along with a significant degree of obfuscation—as well as routine phishing attempts to successfully conduct operations.
These are regularly discovered by researchers and government organizations, which the group appears to be unfazed by. It simply adds additional obfuscations, new domains, and new techniques, and tries again—often even reusing previous patterns. Trident Ursa has been operating in this manner since at least 2014 and has shown no signs of slowing down during this time of conflict. For all these reasons, it remains a significant threat to Ukraine and its allies.
Protection and Remedial Actions
The best defense against Trident Ursa is a security stance that favors prevention. Unit 42 recommends that companies take the following actions:
- Searching network and endpoint logs for indicators of indicators of compromise associated with this threat group.
- Ensure cybersecurity solutions effectively block active infrastructure IoCs.
- Implementation of a DNS security solution to detect and mitigate DNS requests for known C2 infrastructures. Unless a company has a specific use case for services like Telegram messaging and domain lookup tools in their business environment, these domains should be added to the block list. In the case of Zero Trust networks, the domains should not be included in the list of allowed domains.
- Applying an additional check to all network traffic communicating with AS 197695(Reg[.]ru).
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.