One long-running rivalry shows how Kyiv has withstood major cyber attacks

Mehul Srivastava and Anna Gross

April 14, 2022


For years, a small and disparate Ukrainian team including IT experts, intelligence officers and a criminal prosecutor has kept a wary eye on a group of hackers nicknamed Armageddon. The hackers were based in Crimea, shielded by the Russian government, which had seized the region in 2014, and out of the reach of the Security Service of Ukraine. The Ukrainian team watched Armageddon from afar to learn the ways of its enemy. It quietly studied the hacking group’s cyber weapons, intercepted phone calls and even outed its purported leaders.

Armageddon is not the most sophisticated of Russian government-affiliated hacking groups that have attacked Ukraine, but it is among the most prolific. In 5,000 different attempts, it has unleashed ever more effective malware, hidden within cleverly engineered emails to spy on Ukrainian government bodies.

But following Russia’s invasion on February 24, its latest attacks have been parried thanks, in large part, to Ukraine’s deep knowledge of Armageddon’s signature moves. “What is the best time to study your enemy? Long before the fight,” said a western official who asked not to be named. “This is especially true when you have no choice but to react.”

According to western and Ukrainian officials, as well as cyber security experts, the long-running tracking and tackling of Armageddon is just one example of a “persistent defence” that has enabled Ukraine to fend off an astounding number of cyber attacks in recent weeks.

That has allowed the country to show the same resilience online as its troops have on the ground. This toughness comes from years of preparing for, and sometimes recovering from, sophisticated Russian cyber attacks, including one that knocked out the power supply to some Kyiv suburbs in 2015.

A year later, retired US Navy Admiral Michael Rogers, who ran US Cyber Command and was the former head of the National Security Agency, sent the first teams of American soldiers to help bolster Ukrainian cyber defences. He said the missions allowed the Americans to simultaneously “look at Russian tradecraft, look at Russian malware, look at the specifics of how Russian cyber entities tend to operate”.

Earlier this month, that preparation paid off. Ukrainian officials, assisted by western cyber security companies, discovered high-grade malware from a different hacking group, dubbed Sandworm, lurking inside computers at a power station serving millions.

It had been programmed to start deleting files on April 8, repeating the successful hacks of Ukrainian power grids in 2015 and 2016, also by Sandworm, which is tied to the GRU, Russia’s military intelligence agency. “It was a significant milestone, seeing the Sandworm finally rear its head,” said Max Heinemeyer, a former hacker who now works at Darktrace, the cyber security group.

With Armageddon, the Ukrainians applied the same tactic: observe, learn and prepare.  “You need to know your enemies for years, so you can anticipate their actions,” said Shmuel Gihon, security researcher at Israel-based Cyberint. Armageddon is a serious adversary, he said, “among the most talented ones”.

At one point, the Ukrainian team intercepted — and released on YouTube — phone calls between two men they later identified as Russian domestic security officers complaining about their annual bonuses and not receiving medals and discussing a specific hack that had allowed them to grab the data off an encrypted USB stick in the few seconds that it was connected to a computer. Two western officials confirmed the authenticity of the calls.

Armageddon’s tactics have been to marry an old trick — luring someone on a government network to click on an email attachment — with increasingly sophisticated versions of malware. The hacking group’s goal is not to destroy. It is to lurk within organisations and collect information.

Over the years, Armageddon has targeted 1,500 Ukrainian institutions. Kyiv officials would not say how many were successful.  In just the past few weeks, Ukrainian officials say, emails thought to be from Armageddon have mimicked official communiqués about ships entering Crimean ports, lists of military equipment requested by Ukraine and a list of Russian war criminals identified by Ukrainian authorities. In one suspected case, still being investigated, the attachment promised to lift the veil on one of Ukraine’s state secrets and soothe the anxiety of anyone with family in the war effort.

The attachment was titled, “Information on the losses of Ukrainian army”, according to Yurii Shchyhol, the head of the State Service of Special Communication and Information Protection of Ukraine. “That is information that will be read by almost everyone involved in hostilities today,” he said.

By clicking on these emails, the previously unseen piece of malware, nicknamed Pseudosteel, surreptitiously grabbed text, PDFs, PowerPoints and other files, and sent copies to a remote server, according to an analysis of the malware carried out for the Financial Times by Dick O’Brien, principal intelligence analyst at US-based Symantec’s Threat Hunter team.

Symantec found, for instance, that whoever built the malware was a careful scavenger. The attacker knew, for example, that some of the infected computers might have partitioned their hard drives and so taught the malware to hunt for files in those walled-off areas.

Yet Pseudosteel has clear flaws. Its creators forgot that not every infected computer has the specific file needed to run the malware successfully. In fact, said O’Brien, only a minority of them would, making the malware less effective than planned. Also, Symantec’s reverse-engineering of Pseudosteel means it is less likely to evade advanced antivirus software.

But Armageddon has grown more inventive lately. The hackers have recently written 100 different versions of a “Trojan backdoor”, or malicious software designed to grant unwanted access to launch a remote attack. They also appear to have made efforts to infect the same computer with various malware to avoid being discovered. “It’s the cyber equivalent of trying to overwhelm defences with sheer force of numbers,” said O’Brien.

But Ukraine’s defences have shown the ability to stand up to the rapid-fire techniques of a group like Armageddon. “You saw [the Ukrainians], over time, develop greater expertise, capability, knowledge and experience,” said Rogers, the former US Cyber Command chief. “And you see that playing out now. You have to give them credit: they have withstood a lot of Russian activity directed against them.”