Threat Actor Profile

Primitive Bear Threat Actor Profile

Primitive Bear is a Russia-aligned threat actor closely affiliated with the Russian Federal Security Service (FSB), specifically FSB Center 18. First observed active during the annexation of Crimea in 2014, this group specializes in psychological operations, disinformation, and phishing campaigns. They play a significant role within Russia’s hybrid warfare doctrine, blending cyber operations with propaganda to destabilize adversaries, specifically targeting Ukraine, NATO, and Eastern European political organizations.

Threat Actor Profile

Primitive Bear Threat Actor Profile

Country of Origin

Primitive Bear originates from Russia. Their operations have been explicitly tied to the Russian Federal Security Service (FSB), demonstrating clear state alignment and access to significant national resources.

Members

The precise size and structure of Primitive Bear remain unclear. Some security vendors suggest overlaps with other Russian-aligned groups like Gamaredon (Actinium/Shuckworm) or CyberBerkut during various campaigns targeting Ukraine. Their operational footprint indicates access to a dedicated and well-resourced team.

Leadership

The leadership of Primitive Bear remains unknown. While the group’s activities are strongly tied to FSB Center 18, no specific leaders or prominent aliases have been publicly disclosed. Analysts suggest that their coordination with other Russian intelligence-backed APTs is overseen by high-ranking figures within the FSB.

Primitive Bear TTPs

Tactics

Primitive Bear primarily aims to discredit Ukraine’s government and civil society, influence public perception, and support Russian geopolitical goals through information warfare. Their operations prioritize high strategic impact over technical sophistication.

Techniques

Key techniques used by Primitive Bear include spear phishing campaigns with malicious attachments, the creation of fake social media personas, and the dissemination of forged documents aimed at disinformation. They also amplify their messages via Russian state-sponsored media channels.

Procedures

Procedurally, Primitive Bear employs rapid dissemination of propaganda alongside malware deployment. Notable tools include phishing emails coupled with custom malware such as Pterodo backdoor and PowerPunch loader, often targeting government officials, journalists, and NGOs in Ukraine.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

CyberBerkut Operations (2014–2016)

Disinformation campaigns combined with hack-and-leak operations to undermine Ukrainian institutions following the annexation of Crimea.

Ukrainian Elections (2018–2019)

Phishing operations were leveraged to disrupt election processes and discredit political figures in Ukraine.

Russian Invasion of Ukraine (2022–2024)

Coordinated disinformation and cyber efforts aimed at spreading misinformation about Ukrainian leadership and military activities, alongside disruptive attacks by other Russian APTs.

Law Enforcement & Arrests

To date, there are no public reports of arrests directly tied to Primitive Bear’s operations. However, global law enforcement remains vigilant and actively tracks Russian-backed cyber activities to mitigate their impact

How to Defend Against

Phishing Resilience: Implement robust email filtering, sandboxing of attachments, and phishing-resistant MFA.

Media Literacy Training: Educate teams to recognize disinformation tactics, especially vital for NGOs operating in affected areas.

IOC Monitoring: Hunt for Gamaredon-style implants such as Pterodo backdoor and PowerPunch loader.

Network Security: Focus on segmentation, endpoint protection, and strict access controls.

Try Huntress for Free

References

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

https://en.wikipedia.org/wiki/Gamaredon

https://attack.mitre.org/groups/G0047/

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free