The Russian cyber-espionage group known as Gamaredon may have been behind a phishing attack on Latvia’s Ministry of Defense last week, the ministry told The Record on Friday.
Hackers sent malicious emails to several employees of the ministry, pretending to be Ukrainian government officials. The attempted cyberattack was unsuccessful, the ministry added.
The sample of the malicious email was first shared on Twitter by French cybersecurity company Sekoia.io this week.
The company obtained it from VirusTotal, a Google-owned service that analyzes suspicious files, where one of the targeted users may have downloaded it to verify its sender, according to Sekoia threat intelligence researcher Felix Aime.
Researchers attributed this phishing campaign to Gamaredon because the hackers used the same domain (admou[.]org) as previous cyberattacks, Aime said. Earlier in December, the cybersecurity company Unit 42 also linked this domain to Gamaredon.
A spokesperson for Latvia’s Ministry of Defense confirmed that the latest attack was “most likely” linked to Gamaredon, although the investigation is still ongoing.
According to the Latvian computer emergency response team, CERT-LV, the attack was “unusual” because the Russian hackers communicated with researchers in the final stages of the attack when they learned they were being investigated.
A CERT-LV spokesperson told The Record that hackers sent a meme depicting a Russian bear holding a paw on Ukraine, while the U.S. and EU try to contain it.
Hacker groups tied to the Russian government, including Gamaredon, have targeted Latvian organizations for several years, but their activity rapidly increased since the