A hacker gang with Russian ties attempted to enter a petroleum refining business in a NATO member state in late August, the latest report by Palo Alto’s Unit 42 revealed.
According to the report, the attempted intrusion, which appears to have been unsuccessful, took place on August 30 by a hacking group called “Trident Ursa" and was executed through spear phishing emails using English-named files with words like "military assistance."
The news of Trident Ursa's most recent moves came just after National Security Agency Cyber Director Rob Joyce issued a warning that Russian state-sponsored hackers may target NATO nations' energy sectors in the upcoming months.
According to Joyce, these attacks could have "spillover" effects on Ukraine's neighbors, such as Poland, where Microsoft recently issued a warning that Russian-backed hackers had intensified their operations on the nation's logistics sector, a crucial supporter of the Ukrainian military effort.
Triton Ursa, also known as "Gamaredon" or "Armageddon," has connections to Russia's Federal Security Service and has been operating since at least 2014. It is primarily recognized for its phishing operations that gather intelligence. Since the commencement of the war in Ukraine, the gang has been quite active, and it has previously attempted to phish Ukrainian entities.
The infiltration of a petroleum refining company was likely done to boost "intelligence gathering and network access against Ukrainian and NATO partners," according to the Unit 42 assessment.
Trident Ursa is still one of the most "pervasive, intrusive, continually active and targeted APTs targeting Ukraine," according to Unit 42 researchers, who told CyberScoop, a cybersecurity portal, in an email that they don't think it has more than 10 members.
“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again — often even reusing previous samples,” the report reads.
Researchers claim that Trident Ursa is not technically advanced and instead relies on enticements and freely accessible resources. The gang uses geo-blocking to restrict their assaults, allowing users to download infected files only in selected nations. This lowers the visibility of their attacks and makes it harder to spot their efforts.
The Russian hacker organization also exhibits some unusual preferences for choosing domain names that make pop culture references. According to Unit 42's analysts, some of the domains contain names of American basketball teams, well-known rock bands like Metallica and Papa Roach, and characters from the hit TV programme "The Big Bang Theory."
The gang also has a pattern of harassing and abusing its rivals online. A Trident Ursa member going by the name "Anton" issued a warning on Twitter shortly after the Russian invasion of Ukraine, saying, "I'm coming for you." The gang appears to have named their subdomains after a Ukrainian cybersecurity expert.