Microsoft late Friday released more information on the threat actor it calls "Actinium" and that others call "Gamaredon" or "Primitive Bear." The Microsoft Threat Intelligence Center (MSTIC) "has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage." Actinium, MSTIC concludes, represents a different set of activities than the pseudoransomware wiper deployed against Ukrainian sites in January. Thus they don't believe Actinium is responsible for WhisperGate. (Microsoft tracked that earlier activity as DEV-0586.)
Ukrainian security services have attributed the activity to the FSB, specifically an FSB unit operating out of Crimea, and it's significant that MSTIC also sees Actinium's geographical base as lying in the peninsula Russia seized in 2014.
Microsoft sees Actinium's principal objective as collection, and establishing persistence within targeted organizations in furtherance of future cyberespionage. It's typically gained initial access through phishing. Some of its phishing emails misrepresented themselves as coming from the World Health Organization.
US Deputy National Security Advisor Anne Neuberger has been consulting with NATO allies to organize a coordinated response to cyber threats Russia poses to Ukraine (and by implication to Ukraine's neighbors and supporters). The Telegraph quotes her on the way in which a hybrid war is likely to develop. “We’ve been warning for weeks and months, both publicly and privately, that cyber attacks could be part of a broad-based Russian effort to destabilise and further invade Ukraine,” she said. “The Russians understand disabling or destroying critical infrastructure can augment pressure on the country’s government, military and population, and accelerate the receding to Russian objectives.”
The CyberWire's continuing coverage of the crisis in Ukraine may be found here.