A Russian state-sponsored cyber-espionage campaign has been targeting Ukrainian government, law enforcement and military officials in order to steal information that can provide insight into near-term Ukrainian intentions and plans.
Operation Armageddon has been an active campaign since at least mid-2013, according to Lookingglass Cyber Solutions, which said that temporal analysis of the campaign indicates a direct correlation between the cyber-attacks and the ongoing war in the region.
The attack timing suggests the campaign initially started due to Ukraine’s decision to accept the Ukraine-European Union Association Agreement (AA), designed to improve economic integrations between Ukraine and the European Union. Russian leaders publicly stated that they believed this move by Ukraine directly threatened Russia’s national security. Although initial steps to join the Association occurred in March 2012, the campaign didn’t start until much later (mid-2013), as Ukraine and the EU started to more actively move towards the agreement.
While it may sound like the stuff of Bond, the firm said that the campaign has been intermittently active at a small scale, and uses unsophisticated techniques.
Each attack in the campaign started with a targeted spear-phishing email convincing the victim to either open a malicious attachment or click a link leading to malicious content. The attackers use lure documents either previously stolen from, or of high relevance and interest to, Ukrainian targets, often government officials, in order to lure their victims into opening the malicious content.
“In terms of ‘Operation Armageddon’ we honestly expected to see more outages based on prior actions from the Russians against Estonia, but this time it seems they leveraged the internet to gain a more intel-specific advantage,” said Chris Coleman, CEO at Lookingglass. “What is unique and exciting about our report is that we have mapped out a timeline correlating the use of cyber-espionage to kinetic warfare.”
Although the researchers aren’t certain which specific groups are behind the attacks, analysis has shown consistent evidence that the malware used in the attacks came from the same group of attackers; reuse of attacker infrastructure, TTPs, and identical malware samples used in different waves supports this. Also, the password used by the attackers to connect to the infected machines never changed throughout the waves of the campaign.
“Much like during the Cold War when everyone knew nuclear submarine war games were going on even though it was not exposed until much later; we all believe that cyber-tactics are currently being used to support war efforts,” Coleman said.
Russia targeting the Ukraine is nothing new: the Ourobouros campaign uncovered last March has ties to efforts going all the way back to 2005.