HQ/EMEAFind out how we can help your business
The Ministry of Defence (MoD) in Latvia had recently been cyber-attacked by a threat group suspected to be the Russian-based Gamaredon APT (Trident Ursa).
The attack involved a spear-phishing campaign wherein the Gamaredon actors impersonated Ukraine’s Ministry of Defence to target Latvia MoD employees. Fortunately, the campaign was unsuccessful as cybersecurity teams immediately spotted and disrupted it.
The researchers saw an evident clue that linked the Latvia MoD attack to Gamaredon APT.
From a sample of the malicious spear-phishing email sent to Latvia MoD, the researchers noticed how the senders used a domain (admou[.]org), which the Gamaredon APT had used in their previous attacks. This clue allowed the researchers to link it to the Russian-backed group. Still, investigations are underway to confirm these findings.
The CERT-LV, Latvia’s computer emergency response team, described the attack as unusual as the threat actors started communicating with security teams upon learning that an investigation had been launched. During the gang’s interaction, they sent a ‘meme’ to the researchers with the intention of mocking Ukraine and Europe.
CERT-LV also confirms that numerous Russian cybercriminal groups have targeted Latvia, especially since the Russia-Ukraine war commenced last year, with Latvia being known as an ally of Ukraine. However, the security agency said that most of these attack campaigns are nothing but to gain publicity.
One of the most active cybercriminal groups since the beginning of Russia’s invasion of Ukraine was Gamaredon APT. The threat group was responsible for a mass phishing email campaign that spread Gamaredon malware to their targets.
Ukraine’s CERT reported that they have been detecting malicious activities from the group weekly, with about 70 incidents documented in 2022.
Also known as Trident Ursa, Gamaredon APT has been heavily attributed to Russia’s Federal Security Service, acting on their orders to launch attacks on specific targets. Most of the group’s campaigns are intended to access the targets’ networks to spy on them and gather intelligence.
Security experts also tagged the group as one of the most active, pervasive, and intrusive APTs that focused on targeting Ukrainian organisations.
