Ukrainian CERT details Russia-linked phishing attacks targeting government officials

Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia, CERT-UA said.

One of the two cyberespionage campaigns targeted Ukrainian government agencies using the email address “vadim_melnik88@i[.]ua” with the subject line, “Information on war criminals of the Russian Federation,” originally reported by BleepingComputer. 

The email lured recipients to open a file with a similar name, CERT-UA said, which — after a few steps — would infect a victim’s device with espionage malware. 

Latvian government officials were the second target of the Russian threat actor, suggesting that the emails were likely sent to other EU government agencies. CERT-UA’s investigation into the operation found that RAR archives named “Necessary_military_assistance.rar” would be downloaded, leading to links that seemingly contained information on military and humanitarian assistance. Opening those files would infect a victim’s device in a similar fashion as the phishing attack sent to Ukrainian officials, according to the report.    

Armageddon (also known as Gamaredon and Primitive Bear) is linked to the Russian Federal Security Service and has a long history of cyberattacks against Ukraine. The Security Service of Ukraine (SSU) released a statement in November 2021 outlining the group’s objectives:

“Control over critical infrastructure facilities (power plants, heat and water supply systems), theft and collection of intelligence (related to security and defense sector, government agencies), informational and psychological influence, blocking information systems.”

The 2021 report attributed 5,000 cyberattacks since 2014 and 1,500 infiltrated computer systems belonging to government agencies to the Moscow-based threat actor, citing “irrefutable evidence of their involvement in the attacks.”