Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine

Russian authorities hackers, possibly much than those of immoderate different nation, thin to amusement off. The notorious Sandworm portion wrong Russia's GRU subject quality agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla radical has hijacked outer net connections to bargain victims' information from space. But 1 squad of less-flashy cyberspies moving connected behalf of the Kremlin seldom earns the aforesaid notice: Armageddon, oregon Gamaredon.

The hackers, believed to enactment successful the work of Russia's FSB quality agency, aren't known for their sophistication. Yet they person strung unneurotic a decade-plus grounds of astir changeless espionage-focused breaches, grinding distant with simple, repetitive intrusion methods, twelvemonth aft year. Thanks to that sheer overwhelming quantity of hacking attempts, they correspond by immoderate measures the apical espionage menace facing Ukraine successful the midst of its warfare with Russia, according to cybersecurity defenders who way the group.

“They are the astir progressive state-aligned hacker radical attacking Ukrainian organizations, by far,” says Robert Lipovsky, a malware researcher astatine Slovakian cybersecurity steadfast ESET.

ESET has tracked Gamaredon arsenic it's breached the networks of hundreds of victims successful Ukraine, stealing thousands of files connected a regular basis, Lipovsky says. “Their cognition is highly effective," says Robert Lipovsky, a malware researcher astatine ESEThe adds. "Volume is their large differentiator, and that's what makes them dangerous.”

If Gamaredon doesn't behave similar different Russian hacking groups, that's successful portion due to the fact that immoderate of them aren't Russian nationals—or weren't, technically, until 2014.

According to the Ukrainian government, Gamaredon's hackers are based successful Crimea, the peninsula of Ukraine that was seized by Russia pursuing Ukraine's Maidan revolution. Some of them antecedently worked connected behalf of Ukraine's ain information services earlier switching sides erstwhile Russia's Crimean concern began.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy,” reads 1 2021 connection from the Ukrainian SBU quality agency, which alleges the radical carried retired much than 5,000 attacks connected Ukrainian systems including captious infrastructure similar “power plants, vigor and h2o proviso systems.”

The group's archetypal entree techniques, ESET’s Lipovsky says, dwell astir wholly of elemental spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as good arsenic malicious codification that tin infect USB drives and dispersed from instrumentality to machine. Those comparatively basal tactics person hardly evolved since the radical archetypal appeared arsenic a menace aimed astatine Ukraine successful precocious 2013. Yet by tirelessly cranking distant astatine those elemental forms of hacking and targeting practically each Ukrainian authorities and subject organization—as good arsenic Ukrainian allies successful Eastern Europe—on a regular basis, Gamaredon has proven to beryllium a superior and often underestimated adversary.

“People sometimes don’t recognize however large a portion ‘persistence’ plays successful the operation APT,” says John Hultquist, main expert for Google's Threat Intelligence Group. "They’re conscionable relentless. And that itself tin beryllium benignant of a superpower.”

In October 2024, the Ukrainian authorities went arsenic acold arsenic to condemnation 2 of Gamaredon's hackers successful absentia for not lone hacking crimes but treason. A connection from the SBU astatine the clip accused the 2 men—neither of whom are named—of having “betrayed their oath” by voluntarily joining the FSB.

For Gamaredon's erstwhile SBU hackers, turning connected their erstwhile countrymen whitethorn not person resulted successful the perks they hoped. Aside from the evident slog of their nonstop phishing campaigns, intercepted telephone communications betwixt members of the radical published by the SBU look to amusement them complaining astir their debased wage and deficiency of recognition. “They should person fixed you a medal,” 1 squad subordinate says to different successful the Russian-language conversation. “Screwed 1 much time.”