In November 2018, the Ukrainian government and military fell victim to a targeted malware attack orchestrated by the Russian Gamaredon Group, a cyberespionage collective linked to Russia’s FSB. The attack leveraged the Pterodo backdoor, a sophisticated malware designed to infiltrate systems via malicious downloads or secondary payloads. This variant was engineered to activate exclusively on Windows 10 systems configured with languages from former Soviet states (Ukrainian, Russian, Belarusian, etc.), complicating automated detection. The malware generated unique C2 (command-and-control) URLs tied to the infected machine’s hard drive serial number, enabling attackers to exfiltrate system data and deploy additional tools remotely. The operation served as a spyware-driven intelligence-gathering campaign, extracting sensitive military and governmental data. The stolen information was later weaponized by Russia to seize Ukrainian naval vessels and imprison sailors, directly escalating geopolitical tensions. Domains like *updates-spreadwork.pw* and *bitsadmin.ddns.net* were tied to the attack, which CERT-UA confirmed as part of a broader disinformation and cyber-warfare strategy. The breach compromised strategic planning data, undermining Ukraine’s operational security and enabling Russia’s aggressive maritime actions in the Kerch Strait.
TPRM report: https://www.rankiteo.com/company/nsdc-of-ukraine
"id": "nsd245092125",
"linkid": "nsdc-of-ukraine",
"type": "Cyber Attack",
"date": "11/2018",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Ukraine',
'name': 'Ukrainian Government',
'type': 'Government'},
{'industry': 'Defense',
'location': 'Ukraine',
'name': 'Ukrainian Military',
'type': 'Military'}],
'attack_vector': ['Backdoor (Pterodo)',
'Malicious websites (drive-by download)',
'Dropped by other malware'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High (military/intelligence)',
'type_of_data_compromised': ['Intelligence data',
'Military-related information']},
'date_detected': '2018-11',
'description': 'In November 2018, key Ukrainian government and military '
'targets were hit by a malware attack in Ukraine. The malware, '
'Pterodo, entered through a backdoor and was designed to '
'activate only on Windows 10 systems with language '
'localization for Ukrainian, Belarusian, Russian, and other '
'languages associated with former Soviet states. The attack '
'was attributed to the Russian Gamaredon Group, tied to the '
'Russian FSB, and aimed at intelligence gathering for a '
'spyware war and disinformation campaign. The attack led to '
'the seizure of Ukrainian vessels and imprisonment of '
'Ukrainian sailors.',
'impact': {'data_compromised': ['Intelligence data',
'Military-related information'],
'operational_impact': ['Seizure of Ukrainian vessels',
'Imprisonment of Ukrainian sailors'],
'systems_affected': ['Windows 10 systems with '
'Ukrainian/Belarusian/Russian/other former '
'Soviet state localizations']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['Backdoor (Pterodo)',
'Malicious websites',
'Dropped by other malware'],
'high_value_targets': ['Ukrainian government',
'Ukrainian military']},
'motivation': ['Espionage',
'Intelligence gathering',
'Disinformation',
'Military advantage'],
'post_incident_analysis': {'root_causes': ['Targeted malware (Pterodo) with '
'regional activation criteria',
'Lack of detection for unique C2 '
'URL generation based on hard '
'drive serial number']},
'references': [{'source': 'CERT-UA Bulletin'}],
'threat_actor': 'Gamaredon Group (linked to Russian FSB)',
'title': 'Pterodo Backdoor Malware Attack on Ukrainian Government and '
'Military Targets',
'type': ['Malware', 'Spyware', 'Disinformation Campaign']}