Trident Ursa

Threat Actor updated 5 months ago (2024-05-04T20:18:55.301Z)

Download STIX

Preview STIX

Trident Ursa, also known as Gamaredon, Shuckworm, Actinium, Armageddon, Primitive Bear, and UAC-0010, is a threat actor attributed to Russia's Federal Security Service by the Security Service of Ukraine. This group has been active since 2014, primarily focusing on Ukrainian entities such as government employees, journalists, and military personnel. Trident Ursa employs various techniques to limit URL access and uses phishing emails as part of their tactics. The group was observed using a multistage backdoor named Pteranodon/Pterodo, which can execute payloads received from the command and control center (C&C). The group's operations have shown no signs of slowing down since its inception, consistently targeting security services, military, and government organizations in Ukraine. The latest phishing documents used by Trident Ursa have low detection rates in VirusTotal, likely due to their simplicity. The initial VBScript responsible for enabling persistent access to systems does so by creating a Windows scheduled task and a registry key, both common techniques used by Trident Ursa. Despite their success, Trident Ursa does not employ overly sophisticated or complex techniques in its operations, demonstrating agility and adaptability instead. Their continued operation highlights the need for robust cybersecurity measures, with prevention being the best defense against such advanced persistent threats (APTs). Therefore, maintaining a security posture that favors prevention is crucial to mitigate the risks posed by groups like Trident Ursa.

Description last updated: 2024-05-04T19:27:13.606Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Gamaredon is a possible alias for Trident Ursa. Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been identified as one of the most active threat actors in Ukraine, particularly since Russia's invasion of Ukraine in 2022. The group has been known to employ a variety of tools and techniques for cyberespionage, including downloaders	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Ukraine

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Trident Ursa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
CERT-EU	a year ago	‘LitterDrifter’ Russian USB Worm Leaks from Ukraine War Zone
CERT-EU	a year ago	Russia’s LitterDrifter USB Worm Spreads Beyond Ukraine
Securityaffairs	a year ago	Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
Securityaffairs	a year ago	Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine
Unit42	2 years ago	Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
CERT-EU	a year ago	Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise \| IT Security News
Securityaffairs	a year ago	Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise
CERT-EU	a year ago	Russian Hackers Using USB-Spreading Malware in Attacks on Ukrainian Government, Military