Advertisement

Ukraine exposes expansive Russian hacking operation targeting its government, infrastructure

Ukraine doxxed phone calls from the hackers, known in Ukraine as "Armageddon" but as Gamaredon elsewhere.
Participants of the war with Russia backed separatists on the east of Ukraine, activists of Right Sector, far-right movement hold flags as they march after their rally called "Stop the creeping occupation!" outside the office of Ukrainian President Volodymyr Zelensky in Kiev on November 4, 2021. (Photo by SERGEI SUPINSKY/AFP via Getty Images)

Ukraine’s top law enforcement agency published a detailed analysis Thursday outing what it says are Russian hackers and “traitors who sided with the enemy” behind a sweeping campaign that began in 2014.

The hackers, according to the Security Service of Ukraine, are responsible for more than 5,000 cyberattacks on Ukrainian state entities and critical infrastructure that attempted to “infect” more than 1,500 government computer systems.

The report says the Russian intelligence agency the Federal Security Service (FSB) is behind the “Armageddon” group, known more broadly outside Ukrainian borders as Gamaredon or Primitive Bear.

It’s distinct from other Russian intelligence and military hacking groups behind attacks on targets around the world, including the infamous hacks of the Democratic National Committee and Hillary Clinton’s campaign ahead of the 2016 elections. Armageddon dates back to 2013 or 2014, the Ukrainian report says, making it “relatively young,” but nevertheless worthy of attention and “able to turn into a cyberthreat with consequences, the scale of which will exceed the negative effect” of the other Russian government hacking groups.

Advertisement

While the Gamaredon hacking outfit has demonstrated global reach, it has repeatedly returned to its former Soviet constituent Republic. Ukraine is spotlighting the intrusions at a time of rising conflict with Russia.

The FSB officers involved, as well as former Ukrainian law enforcement officers, are being accused of several crimes in Ukraine, including espionage, unauthorized interference with the work of computer systems and the creation and use of malicious software.

The information that the Ukrainians published includes a 35-page written analysis, a slideshow and videos that include recordings of the purported Russian government hackers discussing attacks in real-time. “The Ukrainian special service revealed the identities of the intruders [and] obtained incontrovertible evidence of their illegal activity, including interception of their phone calls,” the agency wrote.

Their main aims included control of critical infrastructure, theft and collection of intelligence and classified information, “operations of information and psychological influence” and blocking access to information systems, the Ukrainian agency alleges. The FSB officers involved, as well as former Ukrainian law enforcement officers, are being accused of several crimes in Ukraine, including espionage, unauthorized interference with the work of computer systems and the creation and use of malicious software.

Advertisement

The activity carried out by the group is part of ongoing hybrid warfare waged by the Russian government against Ukraine, which blends traditional overt military tactics with covert and subtle tactics such as influence operations and cyberattacks to conduct espionage, denial-of-service attacks. It even has included aggressive attacks on critical infrastructure, such as in December 2015 when Russian hackers temporarily disabled electricity in Ukraine.

Thursday’s report says that the group’s main purpose is targeted cyber intelligence activity, particularly against government agencies. Armageddon’s tactics and methods aren’t particularly sophisticated, and they’re not trying to stay off the radar. “The group’s activities are characterized by intrusiveness and audacity,” the report states.

The Ukrainian authors divided Armageddon’s evolution into two phases, from 2014 to 2017, and then 2017 to the present. During the first few years the group primarily relied on publicly available software, but after 2017 it began developing custom malware called Pterodo/Pteranodon, “which widely expanded the functionality of the group.”

A press representative at the Russian embassy in Washington, D.C., did not immediately respond to a request for comment.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts