Russian hacking group Armageddon increasingly targets Ukrainian state services

The Moscow-linked hacking group known as Armageddon remains one of the most active and dangerous threat actors targeting Ukraine during its war with Russia, according to recent research.

The group, also known as Gamaredon, mostly conducts cyberespionage operations against Ukrainian security and defense services, but the group has also been linked to at least one destructive cyberattack against an unspecified information infrastructure facility, according to the Ukrainian computer emergency response team (CERT-UA).

According to an analysis from CERT-UA published Friday, the group has infected thousands of government computers.

“They are even more active this year than they were last year—both in terms of malware development as well as phishing campaigns,” said Robert Lipovsky, a threat intelligence researcher at Slovak cybersecurity company ESET.

The group is “bombarding Ukraine,” said Dick O’Brien, intelligence analyst at U.S. cybersecurity firm Symantec. According to him, the group was apparently created solely to carry out attacks on Ukraine.

“That's highly unusual,” O’Brien told Recorded Future News. “It may not be the most technically sophisticated group but the combination of focus and energy does make it particularly threatening.”

Tactics and tools

Armageddon operates from the Russian-annexed Ukrainian Crimean peninsula and acts on orders from Russia’s Federal Security Service (FSB) in Moscow, according to cybersecurity experts.

Lately, the group has been consistently improving its tactics and rewriting its tools in order to evade detection, according to CERT-UA.

One of the latest techniques observed by researchers is the implementation of a USB infection technique, so if an infected drive is shared between computers the threat actor is able to infect new nodes, according to Dmitry Bestuzhev, senior director of BlackBerry’s cyber threat intelligence team.

"It is a simple but sometimes effective way of spreading malware to more computers on a network and lengthening their intrusion times,” O’Brien said.

To gain unauthorized access to a victim’s system, Armageddon hackers mostly use phishing emails or text messages sent from previously compromised Telegram, WhatsApp, and Signal accounts, according to CERT-UA.

Once the hackers gain initial access, they typically proceed to steal files within a timeframe of 30 to 50 minutes, often using the GammaSteel malware. This is a custom-made information stealer implant that can exfiltrate files of specific extensions, steal user credentials and take screenshots of the victim’s computer.

Hackers can re-infect a computer if at least one malicious file remains there, CERT-UA said.

Espionage and persistence

The focus on espionage distinguishes Armageddon from other state-sponsored Russian groups, including Sandworm, which is mostly engaged in cyber sabotage. But it also makes it harder for researchers to evaluate the impact of Armageddon’s attacks, according to Lipovsky.

“We have been detecting continuous waves of Armageddon campaigns in Ukraine and many attacks have been thwarted,” he said.

The group mostly uses Telegram to send instructions to compromised devices, receive information from them, and coordinate their actions, according to Bestuzhev.

The use of Telegram helps the threat actor “fly under the radar” when communicating with the platform’s servers, which are legitimate web resources. “For defenders, it’s generally harder to spot exfiltration and malicious communications,” he added.

Bestuzhev said that although Gamaredon has been “quite successful” in Ukraine it is still facing challenges, such as moving laterally within the infected networks.

O’Brien believes the group is trying to make up for its lack of technical skills with persistence in its attacks.

“They tend to only compromise individual computers in targeted organizations, so it’s quite likely they're usually getting fragments rather than the keys to the kingdom,” he said.