Who is Armageddon, the group of Russian hackers responsible for 5,000 cyber attacks against Ukraine?

Active since 2013, this group of Russian hackers, members of the intelligence services, has not stopped harassing Ukraine since the invasion of Crimea and Donbass in 2014. These hackers have expanded their activity to the rest of Europe.

Russia has deployed a number of forces against Ukraine, including its hacking units. These hackers, generally assigned to intelligence, cyberespionage and infiltration missions, are now fully involved in the conquest of the neighboring country. The Ukrainian cyber defense also revealed at the end of April the five most active groups of Russian hackers since the start of the invasion, led by UAC-0010 or more commonly Armageddon. They are also known as Gamaredon or Primitive bear.

These designations given by various states or cyber security companies relate to the same group of Russian hackers who specialize in information capture. Contrary to what their names suggest, these hackers prefer infiltration over destruction. They were first identified in 2013 in an email bombing campaign targeting Ukrainian officials, amid the revolution in Kiev. Since then, they have continued to harass the people of the country.

1,500 Ukrainian institutions targeted

Over the years, Armageddon has carried out more than 5,000 cyberattacks against 1,500 Ukrainian institutions, according to the Kiev government. They distinguished themselves by developing their own malware called Pteranodon. This Trojan is mainly used for espionage operations as it can collect data by taking screenshots of the victim’s desktop.

The most recent public fact to date, last May, was a series of emails sent to Ukrainians with a file named “Revenge for Kherson”. This Ukrainian city, currently occupied by the Russians, is the subject of strong opposition from the local population. The goal is to infiltrate the victims’ computers to recover the necessary information or even destroy all data on the phished device. In April, it was through the messaging app Telegram that they tried to trick members of the Ukrainian government into sending fake notifications.

It is also possible to connect Vladimir Putin’s plans with the Armageddon group’s activity. The unit, which is linked to Russian intelligence, has intensified its offensives since January 2022 and carried out another spam campaign the day before the invasion, on February 23. The attackers used the “spear phishing” method, a phishing targeting individuals, thanks to personal information collected upstream.

Five members identified by Ukrainian intelligence

We know that it is difficult to identify a group of hackers, even more so to link it to a foreign government. It is also impossible to know exactly how many members belong to it. Ukraine nevertheless managed to provide the names of five members of Armageddon, all employees of the FSB, the Russian intelligence service in Moscow. Asked by Numerama, Victor Zhora, deputy director of Ukraine’s Cyber ​​Security Agency, said that ” the group consists of FSB officers from Crimea, that is, traitors against Ukraine, who sided with Russia in 2014. We know their names. »

Ukrainian intelligence revealed the photos and identity of these hackers last November. All worked from Crimea and Sevastopol, a Ukrainian port located on the peninsula, at the time on loan to Russia to host its naval base in the Black Sea. All were also employed by the FSB at the time of the events and therefore worked secretly in a still quiet Ukraine.

Identified members of the Armageddon group. // Source: Ukrainian security services

The main advantage of attacks in cyberspace is this high degree of anonymity and the difficulty of identifying the specific individuals who organize or carry out these operations. Nevertheless, we are working hard to identify each hacker. I hope they are all punished as war criminals ” says Victor Zhora.

Russian phishing masters are now well identified by Ukrainian cyber defenses and are quickly detected when they launch a new campaign. Nevertheless, they remain dangerous, especially for officials from other governments who are less cautious when it comes to opening Moscow’s captured emails. Thus, several experts have noted that Armageddon has expanded its attack zone to Europe and NATO member countries since the beginning of the invasion.

NATO member countries targeted

In late March, Google reports that a group of Russian hackers known as Gamaredon, Callisto and COLDRIVER were first detected in a phishing operation involving email addresses of NATO, military personnel in Eastern Europe, Eastern and US NGO’ is. ” These campaigns were sent using newly created Gmail addresses linked to non-Google accounts, the success rate is unknown. We have not observed any compromised Gmail accounts Billy Leonard of Google’s Threat Analysis Group said in a press release. In April, an email-captured email was dubbed ” information on Russian war criminals was sent to several EU agencies by the notorious hacker group.

email hack
An example of an email capture sent to EU agencies. Here, the malware hides in a document that purports to contain a list of Ukrainian military demands. // Source: CERT-UA

At the end of May, scandal in the UK, with the leak of emails from several pro-Brexit personalities published on a website called ” A very British coup “(in English “Very British State Co-op”). Emails allegedly from the accounts of the former head of MI6 (British intelligence service) and several MPs claimed that a group of pro-Brexit politicians secretly controlled Britain. The site claimed that during Theresa May’s time as Prime Minister there was a plan to replace Boris Johnson as Prime Minister.

By analyzing the website, the director of the Threat Analysis Group (TAG) from Google, Shane Huntley, told Reuters that all evidence pointed to a Russian-based hacking group and known as “the cold river,” another name for Armageddon. The content of the emails should be taken with a grain of salt due to the tense context between London and Moscow. Prime Minister Boris Johnson was banned from Russia in mid-April because of his support for Ukraine.

Other Russian hacker groups – Fancy Bear, Sandworm – are already attacking Russia’s declared enemies. Armaggedon haunts Ukraine but has not caused the expected cyber apocalypse. On the other hand, no one is safe from having all their data removed by one of their emails caught in the dirt.


Which sites are still allowed in Russia?  // Source: @hrustall / Unsplash

Leave a Comment