Threat Actor Profile
Primitive Bear Threat Actor Profile
Primitive Bear is a Russia-aligned threat actor closely affiliated with the Russian Federal Security Service (FSB), specifically FSB Center 18. First observed active during the annexation of Crimea in 2014, this group specializes in psychological operations, disinformation, and phishing campaigns. They play a significant role within Russia’s hybrid warfare doctrine, blending cyber operations with propaganda to destabilize adversaries, specifically targeting Ukraine, NATO, and Eastern European political organizations.
Threat Actor Profile
Primitive Bear Threat Actor Profile
Country of Origin
Primitive Bear originates from Russia. Their operations have been explicitly tied to the Russian Federal Security Service (FSB), demonstrating clear state alignment and access to significant national resources.
Members
The precise size and structure of Primitive Bear remain unclear. Some security vendors suggest overlaps with other Russian-aligned groups like Gamaredon (Actinium/Shuckworm) or CyberBerkut during various campaigns targeting Ukraine. Their operational footprint indicates access to a dedicated and well-resourced team.
Leadership
The leadership of Primitive Bear remains unknown. While the group’s activities are strongly tied to FSB Center 18, no specific leaders or prominent aliases have been publicly disclosed. Analysts suggest that their coordination with other Russian intelligence-backed APTs is overseen by high-ranking figures within the FSB.
Primitive Bear TTPs
Tactics
Primitive Bear primarily aims to discredit Ukraine’s government and civil society, influence public perception, and support Russian geopolitical goals through information warfare. Their operations prioritize high strategic impact over technical sophistication.
Techniques
Key techniques used by Primitive Bear include spear phishing campaigns with malicious attachments, the creation of fake social media personas, and the dissemination of forged documents aimed at disinformation. They also amplify their messages via Russian state-sponsored media channels.
Procedures
Procedurally, Primitive Bear employs rapid dissemination of propaganda alongside malware deployment. Notable tools include phishing emails coupled with custom malware such as Pterodo backdoor and PowerPunch loader, often targeting government officials, journalists, and NGOs in Ukraine.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
CyberBerkut Operations (2014–2016)
Disinformation campaigns combined with hack-and-leak operations to undermine Ukrainian institutions following the annexation of Crimea.
Ukrainian Elections (2018–2019)
Phishing operations were leveraged to disrupt election processes and discredit political figures in Ukraine.
Russian Invasion of Ukraine (2022–2024)
Coordinated disinformation and cyber efforts aimed at spreading misinformation about Ukrainian leadership and military activities, alongside disruptive attacks by other Russian APTs.
Law Enforcement & Arrests
To date, there are no public reports of arrests directly tied to Primitive Bear’s operations. However, global law enforcement remains vigilant and actively tracks Russian-backed cyber activities to mitigate their impact
How to Defend Against
Phishing Resilience: Implement robust email filtering, sandboxing of attachments, and phishing-resistant MFA.
Media Literacy Training: Educate teams to recognize disinformation tactics, especially vital for NGOs operating in affected areas.
IOC Monitoring: Hunt for Gamaredon-style implants such as Pterodo backdoor and PowerPunch loader.
Network Security: Focus on segmentation, endpoint protection, and strict access controls.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
