cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Armageddon in Ukraine – how one Russia-backed hacking group operates

In 2014, when Russia annexed the Crimean Peninsula, the local security forces faced quite a dilemma. Stand, fight, run, or give up?

user icon David Hollingworth
Mon, 17 Jul 2023
Armageddon in Ukraine – how one Russia-backed hacking group operates
expand image

According to Ukraine’s Computer Emergency Response Team, some members of the State Security Service of Crimea cut that particular Gordian knot by switching sides entirely.

That’s part of the apparent backstory of the hacking group Armageddon (also known as Gamaredon Primitive Bear), which CERT-UA has just shared a profile of.

CERT-UA characterises the group as focused on espionage operations against Ukraine, though the group has been reported by other researchers as having a more global reach. To date, Armageddon is thought to have compromised thousands of government machines in Ukraine.

The group’s operations are typically very fast. After gaining initial access via compromised Telegram accounts and emails, Armageddon can begin exfiltrating files within 30 minutes to an hour.

Armageddon’s malware of choice is GammaSteel, and the group targets a specific set of files – .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb. Additionally, the threat actor has been observed modifying Office templates to aid in the spreading of the malware, leading to any new document created from an infected template being a new vector itself.

The malware can even be spread to USB drives and other removable media.

“A computer functioning in an affected state for about a week can have from 80 to 120 or more malicious (infected) files,” CERT-UA said in a translated post, “not counting those files that will be created on removable media that will be connected to the computer during this period”.

As well as using Telegram as its initial attack vector, Armageddon uses the app as part of its command and control infrastructure.

“For example, in order to bypass the need to use the DNS subsystem, third-party services and/or resources of Telegram are used to determine the IP addresses of management servers,” CERT-UA said.

Armageddon currently operates from a number of different domains in Russia, Kazakhstan, Montenegro, and the Crimean city of Sevastopol, where Russia’s Black Sea Fleet is headquartered.

The group is undoubtedly focused on Ukraine and supporting Russia’s war aims; however, Armageddon has targeted Western organisations, both inside Ukraine and abroad, and even sells its services to other hacking groups.

The group has also been observed in operation since before the Crimean annexation. It may well have members who were part of the Crimean security services – which CERT-UA now labels “traitors” – but they are just a part of the overall picture. Russian FSB officers are said to be at the core of the group’s leadership – and that’s attributed to earlier reports from Ukrainian security services.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.