Ukraine’s Security Service (SBU) has finally disclosed the names of the Crimea-based hackers who have been attacking Ukraine on Russia’s orders for more than seven years.
The hacker group Armagedon, also known globally as Gamaredon or Primitive Bear, attacked Ukrainian government agencies and critical infrastructure, including hospitals, banks, factories and power stations. In the last seven years, the group has carried out at least 5,000 cyberattacks in Ukraine.
Members of Armagedon included Russian intelligence officers based in Crimea and Ukrainian “traitors,” who supported the annexation of the peninsula by Russia in 2014, the SBU announced on Nov. 4, 2021.
Five hackers face treason charges after the investigation is completed. Ukraine also wants to bring officers of Russia’s Federal Security Service (FSB) to justice, accusing them of espionage, unauthorized interference in the work of electronic systems and distribution of malicious software.
The SBU knew about Armagedon’s activity in Ukraine for a long time. But now, Ukrainian authorities have identified the hackers by name and got conversation recordings and other evidence confirming the attacks for the first time. The SBU claims that it was the largest “de-anonymization campaign” of the state-sponsored hacker group in Ukrainian history.
Local cybersecurity experts, however, are not convinced that these campaigns are effective: Ukraine rarely detains Russian hackers and usually ends their cases with a notice of suspicion that doesn’t go anywhere. Cybercriminals and Russia experience no real consequences, experts told the Kyiv Post.
People behind Armagedon
According to Ukraine’s Security Service, Armagedon answers to Russia’s FSB department in Crimea. The group includes FSB officers, who participated in the annexation of Crimea in 2014 and former Ukrainian law enforcement officers, who “betrayed their oath” and joined Russia.
Armagedon is a state-sponsored group of cybercriminals, according to the SBU — it allegedly receives financial support from the Russian government. The group has been active since 2013. It is “extremely aggressive” and “targets users all over the globe — from banks in Africa to educational institutions in the U.S.,” according to Cisco Talos, the U.S. threat intelligence organization.
In Ukraine, the group has attacked over 1,500 enterprises since 2014. The SBU obtained video excerpts from the Crimea-based hackers where they boast about stealing classified documents from one of the Ukrainian state-owned enterprises or installing spying software on the computer of a Ukrainian lawmaker.
To obtain access to the computers of Ukrainian government services or state enterprises, cybercriminals sent phishing emails, disguising them as official documents, the SBU said. It didn’t disclose who became victims of these cyberattacks.
Links to Russia
According to Cisco, Armagedon has long been associated with pro-Russian activities. Most of the IP addresses of the hackers’ devices also lead to Russia, according to Cisco. Even the name of the group — Armagedon — uses the Russian spelling of the word Armageddon, with one ‘d’.
On tapes, obtained by the SBU, cybercriminals discussed their salaries and the lack of reward from the leadership of the Crimean Federal Security Service.
Although the hackers haven’t been detained, the SBU’s investigation may force Russia to protect them.
Ukraine should also expect an attack in response, according to Andriy Baranovich, the press secretary of the Ukrainian Cyber Alliance, who works under the name Sean Brian Townsend. “We should expect it from the FSB brcause it is very sensitive to Ukrainian news,” he wrote on Facebook.
Cyberwar between Russia and Ukraine
Mutual cyberattacks between Ukraine and Russia have become mundane in recent years. Russian-backed hacker groups attacking Ukraine include names like Fancy Bear, Turla and The Dukes, according to the SBU. They were behind devastating cyberattacks on Ukraine, including BlackEnergy, Industroyer and NotPetya.
Cybercriminals, including ones working for Armagedon, usually find weaknesses in systems that run Windows but they try to hack Android and Linux devices too.
Phishing emails are the most common and the simplest type of attack. Users usually click on links hidden inside malicious emails because they do not check whether the sender’s address is reliable.
According to the SBU, hackers can send phishing emails from government agencies, international organizations and even close relatives to infect a computer with the virus.