Ukrainian CERT details Russia-linked phishing attacks targeting government officials

Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia, CERT-UA said.

One of the two cyberespionage campaigns targeted Ukrainian government agencies using the email address “vadim_melnik88@i[.]ua” with the subject line, “Information on war criminals of the Russian Federation,” originally reported by BleepingComputer

The email lured recipients to open a file with a similar name, CERT-UA said, which — after a few steps — would infect a victim’s device with espionage malware. 

Latvian government officials were the second target of the Russian threat actor, suggesting that the emails were likely sent to other EU government agencies. CERT-UA’s investigation into the operation found that RAR archives named “Necessary_military_assistance.rar” would be downloaded, leading to links that seemingly contained information on military and humanitarian assistance. Opening those files would infect a victim’s device in a similar fashion as the phishing attack sent to Ukrainian officials, according to the report.    


A phishing attack targeting Latvian officials. IMAGE: CERT-UA

Armageddon (also known as Gamaredon and Primitive Bear) is linked to the Russian Federal Security Service and has a long history of cyberattacks against Ukraine. The Security Service of Ukraine (SSU) released a statement in November 2021 outlining the group’s objectives:

“Control over critical infrastructure facilities (power plants, heat and water supply systems), theft and collection of intelligence (related to security and defense sector, government agencies), informational and psychological influence, blocking information systems.”

The 2021 report attributed 5,000 cyberattacks since 2014 and 1,500 infiltrated computer systems belonging to government agencies to the Moscow-based threat actor, citing “irrefutable evidence of their involvement in the attacks.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Emma Vail

Emma Vail is an editorial intern for The Record. She is currently studying anthropology and women, gender, and sexuality at Northeastern University. After creating her own blog in 2018, she decided to pursue journalism and further her experience by joining the team.