Ukrainian special services claim to have identified the operatives behind the prolific “Armageddon” hacking group, alleging they are Russian FSB officers.
In a brief statement, the Security Service of Ukraine (SSU) revealed that the group, also known as “Garmaredon,” was responsible for over 5000 attacks on the Ukrainian government and critical infrastructure assets.
It targeted 1500 government computer systems intending to steal sensitive information relating to security and defense and blocking information systems, as well as attacking power plants and heat and water systems, the SSU said.
The five were reportedly members of the Crimean FSB before defecting to the Russian side after the invasion of the Ukrainian peninsula in 2014. As a result, they’re being accused of treason and espionage, malware development and interference with computers.
The SSU said it had managed to unmask the individuals despite their use of FSB tools to stay hidden online.
“The Armageddon hacker group is an FSB special project, which specifically targeted Ukraine,” it said. “This ‘line of work’ is coordinated by the FSB’s 18th Center (Information Security Center) based in Moscow.”
Although the individuals have not been arrested, the SSU will be hoping to send a signal to the FSB with this notice.
The security service also released a detailed technical document highlighting the group’s TTPs, including exploitation of legacy Windows vulnerabilities, malware loaded onto removable media, the EvilGnome Linux backdoor and a custom RAT dubbed “Pteranodon.”
John Hultquist, VP of intelligence analysis at Mandiant, explained that Armageddon has also been observed attacking global targets.
“Due to the ongoing conflict, Ukraine has born early witness to many of Russia’s most aggressive cyber-attack capabilities, from the ability to knock power offline to the earliest versions of the fake ransomware that eventually became NotPetya,” he added.
“If we want to see what’s coming next, we have to be mindful of the lessons already being learned in Ukraine and other countries where cyberattacks are frequent and evolving.”