For years, a small, disparate Ukrainian team comprising computer experts, intelligence operatives and a criminal prosecutor has kept a close eye on a group of hackers dubbed Armageddon.
The hackers were based in Crimea, protected by the Russian government, which seized the region in 2014, and beyond the reach of Ukrainian security services.
The Ukrainian team watched Armageddon from afar to learn the ways of their enemy. He quietly studied the hacking group’s cyber weapons, intercepted phone calls and even unmasked its alleged leaders.
Armageddon is not the most sophisticated of the Russian government-affiliated hacking groups that have attacked Ukraine, but it is among the most prolific. In 5,000 different attempts, it unleashed ever more effective malware hidden in cleverly crafted emails to spy on Ukrainian government bodies.
But after Russia invaded on February 24, its latest attacks were parried thanks, in large part, to Ukraine’s deep knowledge of the iconic moves of Armageddon.
“When is the best time to study your enemy?” Long before the fight,” said a Western official who asked not to be named. “This is especially true when you have no choice but to react.”
According to Western and Ukrainian officials, as well as cybersecurity experts, the long-standing follow-up and fight against Armageddon is just one example of a “persistent defense” that has allowed Ukraine to repel an incredible number of cyberattacks in recent weeks.
This has allowed the country to demonstrate the same resilience online as its troops on the ground. This tenacity stems from years of preparation and sometimes recovery from sophisticated Russian cyberattacks, including one that knocked out power to some Kyiv suburbs in 2015.
A year later, retired US Navy Admiral Michael Rogers, who headed US Cyber Command and was the former head of the National Security Agency, sent the first teams of US soldiers to help reinforce Ukrainian cyber defenses. He said the missions allowed Americans to simultaneously “look at Russian craftsmanship, look at Russian malware, look at the details of how Russian cyber entities tend to operate.”
Earlier this month, that preparation paid off. Ukrainian officials, aided by Western cybersecurity firms, have discovered high-grade malware from another hacking group, dubbed Sandworm, hidden in the computers of a power plant serving millions of people.
It had been scheduled to start deleting files on April 8, repeating successful hacks of Ukrainian power grids in 2015 and 2016, also by Sandworm, which is linked to GRU, Russia’s military intelligence agency.
“It was a milestone, seeing the Sandworm finally raise its head,” said Max Heinemeyer, a former hacker who now works at Darktrace, the cybersecurity group.
With Armageddon, the Ukrainians applied the same tactic: observe, learn and prepare.
“You need to know your enemies for years, so you can anticipate their actions,” said Shmuel Gihon, security researcher at Israel-based Cyberint. Armageddon is a serious adversary, he says, “among the most talented”.
At one point, the Ukrainian team intercepted – and posted on YouTube – phone calls between two men they later identified as Russian internal security agents complaining about their annual bonuses and not receiving medals and discussing a specific hack that allowed them to recover the data. an encrypted USB drive within seconds of being connected to a computer. Two Western officials confirmed the authenticity of the calls.
The Armageddon tactic involved marrying an old trick – tricking someone on a government network into clicking on an email attachment – with increasingly sophisticated versions of malware. The purpose of the hacking group is not to destroy. It’s about hiding within organizations and gathering information.
Over the years, Armageddon has targeted 1,500 Ukrainian institutions. Kyiv officials would not say how many succeeded.
In recent weeks, according to Ukrainian officials, emails purporting to be from Armageddon have mimicked official statements about ships entering Crimean ports, lists of military equipment requested by Ukraine and a list of criminals from war fighters identified by the Ukrainian authorities.
In a suspicious case, which is still under investigation, the attachment promised to lift the veil on one of Ukraine’s state secrets and ease the anxiety of anyone with the family in the war effort.
The attachment was titled “Information on casualties of the Ukrainian army,” according to Yurii Shchyhol, the head of Ukraine’s State Service of Special Communications and Information Protection. “This is information that will be read by almost everyone involved in hostilities today,” he said.
By clicking on these emails, the novel malware, dubbed Pseudosteel, surreptitiously grabbed text, PDFs, PowerPoints and other files, and sent copies to a remote server, according to a malware analysis conducted for the Financial Times by Dick O’Brien, senior intelligence analyst with Symantec’s US-based Threat Hunter team.
Symantec discovered, for example, that whoever created the malware was a careful scavenger. The attacker knew, for example, that some of the infected computers might have partitioned their hard drives and thus taught the malware to look for files in those isolated areas.
Still, Pseudosteel has obvious flaws. Its creators forgot that not all infected computers have the specific file needed to run the malware successfully. In fact, O’Brien said, only a minority would, making the malware less effective than expected.
Additionally, Pseudosteel’s reverse engineering by Symantec means it’s less likely to evade advanced anti-virus software.
But Armageddon has gotten more inventive lately. Hackers recently wrote 100 different versions of a “Trojan backdoor”, or malware designed to grant unwanted access to launch a remote attack. They also seem to have made efforts to infect the same computer with various malware to avoid detection.
“It’s the cybernetic equivalent of trying to overwhelm defenses with strength in numbers,” O’Brien said.
But the Ukrainian defenses have shown their ability to withstand the rapid fire techniques of a group like Armageddon.
“You have seen [the Ukrainians], over time, develop greater expertise, capacity, knowledge and experience,” said Rogers, the former head of US Cyber Command. “And you see it playing out now. You must give them credit: they resisted many Russian activities directed against them.
#techFT brings you news, commentary and analysis on the big companies, technologies and issues shaping this industry’s fastest movement from specialists based around the world. Click here to get #techFT in your inbox.