Connect with us

Hi, what are you looking for?



Cyber Espionage Campaign Against Ukrainian Government Continues

Starting in early 2019, Ukrainian government entities have been targeted by a spear-phishing campaign that appears to be a cyber espionage campaign emanating from the Luhansk People’s Republic (LPR).

Starting in early 2019, Ukrainian government entities have been targeted by a spear-phishing campaign that appears to be a cyber espionage campaign emanating from the Luhansk People’s Republic (LPR).

LPR is a proto-state. It is a region in eastern Ukraine that declared independence following the 2014 Ukrainian revolution. It is not recognized as a sovereign state by any member country of the UN. The Ukrainian government describes LPR as a ‘temporarily occupied territory’, and its government as an ‘occupying administration of the Russian Federation’.

FireEye has discovered a new spear-phishing campaign that it believes is a continuation of ongoing activity probably coming from LPR and aimed against the Ukrainian government. It believes that such activity dates to 2014. 

In January 2018, Palo Alto Networks (PAN) discussed “a modestly sized campaign going back to late 2015 using both Quasar RAT and RAT VERMIN.” While PAN provides no attribution and doesn’t mention LPR, this is almost certainly the ‘ongoing activity’ described by FireEye. In March 2018, ESET published a report analyzing both Quasar and Vermin malware and campaigns. Now, however, says FireEye, the attackers have improved their sophistication by leveraging both custom and open-source malware, and using malicious LNK files.

QUASAR is an open-source RAT freely available on GitHub. VERMIN is a custom-made full-featured backdoor not used by any other threat actor. The latter first appeared in 2016. Most of its capabilities are implemented in the primary payload, but additional functionality — such as an audio recorder, a keylogger, a password stealer and a USB file stealer — can be downloaded to the victim machine.

A spear-phishing sample email found by FireEye and dated 22 January 2019 pretends to be from Armtrac, a UK defense manufacturer. It expresses an interest in discussing “joint opportunities in demining activities… ammunition recycling, participation in tenders with further technology transfer…” The Armtrac address, website and email contacts in the email are all correct.

Three attachments are provided with the email. Two are genuine and benign PDF files taken from the Armtrac website. The third, however, is a malicious LNK file that executes a PowerShell script. The script attempts to connect to ‘http://sinoptik[.]website/EuczSc’ which resolves to IP address This server was not available during FireEye’s analysis. 

However, note the researchers, “Domains previously connected to RATVERMIN (aka VERMIN) and QUASARRAT (aka QUASAR) also resolved to IP ‘’.” FireEye has not seen the malware used by any other threat actor.

Advertisement. Scroll to continue reading.

FireEye’s infrastructure analysis also points to an LPR source, and in particular to the persona ‘re2a1er1 @’. One of the domains registered from this email address is the official website of the Ministry of State Security of the LPR.

All these indicators — type of malware, target, and infrastructure — lead FireEye to conclude that this is the latest iteration of an ongoing cyber espionage campaign by unnamed LPR actors against the Ukrainian government. “While more evidence is needed for definitive attribution,” it reports, “this activity showcases the accessibility of competent cyber espionage capabilities, even to sub-state actors.”

The actors themselves are described as being highly aggressive and proactive. ESET pointed out the extent to which the malware is focused on Ukrainian targets. It checks for Russian or Ukrainian keyboard layouts and terminates if not. It checks the victim’s IP address, and if not in Russia or Ukraine, it terminates. It will not run under accounts typical of automated analysis systems.

FireEye gives an example. When the RATVERMIN operators realized the malware was running on an unintended victim, they immediately executed the Hidden Tear ransomware. This was killed by the analysts before it could take effect. The malware operators then started deleting the analysis tools.

The analysts reset the machine and allowed the malware to execute again; but this time with an open text file asking the attackers why they sent the ransomware. The attackers responded with a message “C&C to Victim”, ending “Mad?”

Although currently entirely focused against Ukraine, FireEye points out and warns, “nascent threats to Ukraine have previously become international concerns and bear monitoring.”

Related: Many Ukrainian Organizations Targeted in Reconnaissance Operation 

Related: Ukraine Separatists, Politicians Targeted in Surveillance Operation 

Related: ‘GreyEnergy’ Cyberspies Target Ukraine, Poland 

Related: ‘Industroyer’ ICS Malware Linked to Ukraine Power Grid Attack 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.