The Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service of Ukraine have detected a new strain of the Pterodo Windows backdoor targeting computers at Ukrainian government agencies, leading officials in Kiev to warn of a pending large-scale cyber attack.

In an alert posted to the organization's website, a CERT-UA official wrote:

CERT-UA together with the Foreign Intelligence Service of Ukraine found new modifications of Pterodo-type malware on computers of state authorities of Ukraine, which is likely to be the preparatory stage for a cyber attack. This virus collects system data, regularly sends it to command-control servers and expects further commands.

Pterodo, also known as Pteradon, is associated with the Gamaredon threat group, a group of attacks based largely on off-the-shelf software that have focused on Ukrainian military and government targets. Pterodo is a custom backdoor used to insert other malware and collect information. The latest version activates only on Windows systems with language localization for Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar, and other languages associated with former Soviet states; this makes it more difficult to perform automated analysis of the malware with certain tools.

According to the CERT-UA bulletin, the new version of Pterodo generates a unique URL for command and control based on the serial number of the hard drive of the infected system. Data about the infected system is uploaded to that URL, allowing the attackers to analyze which tools to remotely install and run. The domains associated with the attack so far include updates-spreadwork.pw, dataoffice.zapto.org, and bitsadmin.ddns.net.

In the past, the Security Service of Ukraine (SBU) has tied the Gamaredon group to Russia's Federal Security Service (FSB). Coincidentally, the discovery of the new update to Pterodo comes just days after FireEye and Crowdstrike reported a resurgence in "spear-phishing" attacks against a wide range of organizations worldwide, which Crowdstrike researchers said bear the signature of the threat group Cozy Bear—another FSB-connected threat group.

The latest Cozy Bear campaign used spear-phishing emails sent from an account posing as a US State Department official—in one instance viewed by Reuters' Christopher Bing, the message had a "from" field of State Department public affairs specialist Susan Stevenson. The targets of the Cozy Bear attacks include US government agencies, think tanks, and businesses.

Malware from the Cozy Bear group was identified as part of an infiltration of the Democratic National Committee's network in 2016, operating more stealthily than the "Fancy Bear" malware tied to Russia's Main Intelligence Directorate (GRU). The Cozy Bear malware family, also referred to as "The Dukes," also targeted non-governmental organizations in the wake of President Donald Trump's election. It has also had a long history of targeting US and NATO-related agencies and organizations.