Ukraine detects new Pterodo backdoor malware, warns of Russian cyberattack

Revived Gamaredon threat group just part of wave of new attacks tied to Russia’s FSB.

Enlarge (credit: Mira Mechtley )

The Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service of Ukraine have detected a new strain of the Pterodo Windows backdoor targeting computers at Ukrainian government agencies, leading officials in Kiev to warn of a pending large-scale cyber attack.

In an alert posted to the organization's website, a CERT-UA official wrote:

CERT-UA together with the Foreign Intelligence Service of Ukraine found new modifications of Pterodo-type malware on computers of state authorities of Ukraine, which is likely to be the preparatory stage for a cyber attack. This virus collects system data, regularly sends it to command-control servers and expects further commands.

Pterodo, also known as Pteradon, is associated with the Gamaredon threat group, a group of attacks based largely on off-the-shelf software that have focused on Ukrainian military and government targets. Pterodo is a custom backdoor used to insert other malware and collect information. The latest version activates only on Windows systems with language localization for Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar, and other languages associated with former Soviet states; this makes it more difficult to perform automated analysis of the malware with certain tools.

Read 4 remaining paragraphs | Comments

Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz

Emails that seem eerily familiar masquerade as US State Department.

Enlarge / Russian President Vladmir Putin in St. Petersburg today for the St. Petersburg International Economic Forum, acknowledged today that Russian hackers may have interfered in the US election. (credit: Mikhail Svetlov/Getty Images)

Attackers suspected of working for the Russian government masqueraded as a US State Department official in an attempt to infect dozens of organizations in government, military, defense contracting, media, and other industries, researchers from security firm FireEye warned on Monday.

The spear-phishing campaign began last Wednesday. This is almost exactly two years after the Russian hacking group known under a variety of monikers, including APT29 and Cozy Bear, sent a similar barrage of emails that targeted many of the same industries, FireEye said in a blog post. The tactics and techniques used in both post-election campaigns largely overlap, leading FireEye to suspect the new one is also the work of the Russian-government-controlled hacking arm. FireEye researchers Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, and Nick Carr wrote:

Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.

“Secure” communications

At least 38 FireEye clients have been targeted so far in the spear-phishing campaign, Carr told Ars. The emails purport to deliver an official US State Department from a known public-affairs official at the same US agency. The messages were designed to appear as a secure communication that’s hosted on a webpage linked to the official’s personal drive. To further appear legitimate, the message delivers a legitimate State Department form.

Read 9 remaining paragraphs | Comments