Russia: The Trident Ursa group (aka Gamaredon) still occupies the terrain of the cyber war that has been raging since the invasion of Ukraine
Since Unit 42 last analyzed in early February about the APT (Advanced Persistent Threat) group Trident Ursa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm), the Ukrainian cyber domain has been plagued by ever-increasing threats came from Russia. At the maneuver behind the Trident Ursa group, the Ukrainian security services identified the Federal Security Service of the Russian Federation.
As conflict continues on earth and in cyberspace, Trident Ursa works tirelessly to create access and gather intelligence. To date, Trident Ursa stands out as a remarkably invasive, intrusive and persistent APT. And clearly directed against Ukraine.
Given the geopolitical situation and the targets targeted by this APT group, researchers at Unit 42, Palo Alto Networks’ threat research and consulting firm, are constantly on the lookout for indicators that betray the paternity of their operations.
During this hunt, Unit 42 managed to map more than 500 new domains, 200 patterns and other indicators of compromise (IoC) used during the last 10 months in the context of phishing and spoofing attempts. Trident Ursa malware attacks.
Unit 42 delivers this information along with known IoCs to highlight and share their current global understanding of Trident Ursa’s operations. Vigilance of these areas, backed by open source intelligence, has allowed Unit 42 to identify a few notable items:
• On August 30, there was a failed attempt to compromise a major oil refinery in a NATO member country.
• In the aftermath of the invasion, an individual believed to belong to the Trident Ursa group threatened to attack a cybersecurity researcher based in Ukraine.
• Several changes to their tactics, techniques and procedures (TTP).
Trident Ursa asserts itself as an agile and adaptive APT, whose operations do not rely on particularly sophisticated or complex techniques. In most cases, the members of the group indeed use tools and scripts available to the general public, not to mention a significant part of obfuscation, as well as basic phishing attempts for the execution of their operations.
These maneuvers are regularly intercepted by researchers and government organizations, which does not seem to alarm them unduly. Their response is simply to strengthen their obfuscation, add new domains and multiply techniques before re-offending, often by re-using models already used before.
This operating mode has been the same since 2014, and has allowed Trident Ursa to carry out its operations without suffering any slowdown during the conflict. For all these reasons, the group poses a heavy threat to Ukraine, and requires countries and their allies to organize an active defense.
What protective measures?
Against Trident Ursa, the best defense results in a security posture where prevention takes precedence.
Thus, Unit 42 recommends that organizations take the following measures:
• Scan the network and endpoint logs for indicators of compromise associated with this criminal group.
• Ensure that cybersecurity solutions effectively block active infrastructure IoCs.
• Implement a DNS security solution to detect and neutralize DNS requests to known C2 infrastructure. In addition, and in the absence of specific and proven use of certain services, such as Telegram or domain analysis tools, within the organization, add these domains to your blacklist, or discard them. whitelist them if you have opted for the Zero Trust approach.
• Strengthen monitoring of network communications with AS 197695 (Reg[.]ru).