Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group
The Russian cyber-espionage group known as Gamaredon may have been behind a phishing attack on Latvia's Ministry of Defense last week, the ministry told The Record on Friday.
Hackers sent malicious emails to several employees of the ministry, pretending to be Ukrainian government officials. The attempted cyberattack was unsuccessful, the ministry added.
The sample of the malicious email was first shared on Twitter by French cybersecurity company Sekoia.io this week.
Last week, #Gamaredon intrusion set likely impersonated the MoD to target the MoD by using #spearphishing with the following infection chain: HTMLSmuggling -> ZIP -> LNK -> HTA. They used the already flagged #Gamaredon domain name admou[.]org to send their email. pic.twitter.com/SGQVGPtNJd— SEKOIA.IO (@sekoia_io) January 23, 2023
The company obtained it from VirusTotal, a Google-owned service that analyzes suspicious files, where one of the targeted users may have downloaded it to verify its sender, according to Sekoia threat intelligence researcher Felix Aime.
Researchers attributed this phishing campaign to Gamaredon because the hackers used the same domain (admou[.]org) as previous cyberattacks, Aime said. Earlier in December, the cybersecurity company Unit 42 also linked this domain to Gamaredon.
A spokesperson for Latvia's Ministry of Defense confirmed that the latest attack was “most likely" linked to Gamaredon, although the investigation is still ongoing.
According to the Latvian computer emergency response team, CERT-LV, the attack was “unusual” because the Russian hackers communicated with researchers in the final stages of the attack when they learned they were being investigated.
A CERT-LV spokesperson told The Record that hackers sent a meme depicting a Russian bear holding a paw on Ukraine, while the U.S. and EU try to contain it.
Hacker groups tied to the Russian government, including Gamaredon, have targeted Latvian organizations for several years, but their activity rapidly increased since the start of the war in Ukraine.
Most cyberattacks by pro-Russian hackers “achieve nothing more than publicity,” Varis Teivans, the deputy manager of CERT-LV told The Record in an interview in October.
Latvia has supported Ukraine since the beginning of the war, providing weapons, humanitarian aid and shelter for Ukrainian refugees.
Other Ukrainian allies, especially former Soviet Union members including Estonia and Lithuania, are also reporting an increase in cyberattacks.
Ukraine’s CERT told The Record that Gamaredon is responsible for the largest number of cyberattacks on Ukraine. “Not a week went by that we didn't detect some new mass phishing email campaign with Gamaredon malware,” a CERT-UA spokesperson said.
In 2022, Ukraine registered more than 70 incidents related to this group, according to CERT-UA.
Ukraine claims that Gamaredon operates from the city of Sevastopol in Russia-occupied Crimea, but acts on orders from the FSB Center for Information Security in Moscow. The group began operations in June 2013, just months before Russia forcibly annexed the Crimean Peninsula from Ukraine.
Ukrainian cybersecurity officials described Gamaredon’s attacks as intrusive and audacious, and said the group’s main purpose was “to conduct targeted cyberintelligence operations.”
Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.