KYIV, Nov 20 – Ukrainian intelligence service and computer emergency response team detected a new strain of computer virus targeting computers at government agencies, perhaps indicating an imminent attack.

The Computer Emergency Response Team of Ukraine (CERT-UA) and the Foreign Intelligence Service detected the strain of the Pterodo Windows backdoor, Ars Technica reported.

“CERT-UA together with the Foreign Intelligence Service of Ukraine found new modifications of Pterodo-type malware on computers of state authorities of Ukraine, which is likely to be the preparatory stage for a cyber attack,” an official at CERT-UA, said. “This virus collects system data, regularly sends it to command-control servers and expects further commands.”

Pterodo, also known as Pteradon, is associated with the Gamaredon threat group, a group of attacks based largely on off-the-shelf software that have focused on Ukrainian military and government targets. Pterodo is a custom backdoor used to insert other malware and collect information.

The latest version activates only on Windows systems with language localization for Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar, and other languages associated with former Soviet states; this makes it more difficult to perform automated analysis of the malware with certain tools.

In the past, the Security Service of Ukraine (SBU) has tied the Gamaredon group to Russia's Federal Security Service (FSB).

The discovery of the new update to Pterodo comes just days after FireEye and Crowdstrike reported a resurgence in "spear-phishing" attacks against a wide range of organizations worldwide, which Crowdstrike researchers said bear the signature of the threat group Cozy Bear—another FSB-connected threat group.

The latest Cozy Bear campaign used spear-phishing emails sent from an account posing as a US State Department official—in one instance viewed by Reuters' Christopher Bing, the message had a "from" field of State Department public affairs specialist Susan Stevenson. The targets of the Cozy Bear attacks include US government agencies, think tanks, and businesses.

Malware from the Cozy Bear group was identified as part of an infiltration of the Democratic National Committee's network in 2016, operating more stealthily than the "Fancy Bear" malware tied to Russia's Main Intelligence Directorate (GRU). (at/ez)