Phishing on the Dnieper: Russian Offensive Cyber Operations in Ukraine

The 2014 conflict between Russia, Ukraine, and the broader global defence community has tested various geopolitical norms, both militarily, and politically. However, the conflict has also served to highlight the rapid expansion of information operations (IO) by various bureaucratic and military actors, especially within the domain of cyber. With this explosive growth of IO in conventional conflicts, it is unsurprising that there has also been a comparatively steady growth of organizations which have developed elite units or teams responsible for a wide variety of foci, including technology-based, regionally-based, or industry-based targeting. While many of these units, such as the so-called ‘Sandworm’ team, have gained significant media attention for their alleged operations against Ukrainian critical infrastructure, many others have remained relatively obscure, despite their extensive targeting, and sustained operations which have played a critical, if somewhat obfuscated, role in the ongoing conflict.

Russia’s ongoing information operations against Ukrainian national security targets are, on the surface, perhaps not out-of-character given the ongoing conflict in the Crimean peninsula, the Donbas region, as well as elsewhere. Indeed, such targeting is very likely expected; however, the extensive reliance on so-called Offensive Cyberspace Operations (OCO) as the dominant form of IO remains anomalous in the paradigm of traditional conflict, and likely telegraphs fundamental changes in both Russian, and other developed nations’, military doctrine. OCO, as a form of IO, can be broadly categorized in three core competencies: Cyberspace Defence (CD), operations aimed to defeat or defend against enemy efforts to degrade or deny computer-based communications to friendly forces; Cyberspace Attack (CA), operations aimed to degrade or deny the enemy computer-based communication; and Cyberspace Exploitation (CE), operations aimed at intelligence gathering through the use of computer networks owned, or used, by the enemy.  The objective of this paper will be to serve as a starting point to examine regionally-focused Russian OCO activity, especially in the form of CE, through a case study of a group which has been significantly involved in the ongoing conflict. This group, which has been given the nom de guerre of ‘Gamaredon’ (amongst many others), has been responsible for a number of CE-based information operations which have demonstrated a nearly singular focus on Ukrainian targets with a military or political significance.

The use of cryptonyms, otherwise referred to simply as ‘code names,’ has been common practice, since at least World War I, within the Intelligence Community (IC) as a whole; this practice has gained particular adoption within the cyber practices in the IC. These names are often used to refer to particular activities which appear to share similarities in geographic origins, as well as similar tactics, techniques, and procedures (TTP). With the growing integration of the private sector, however, many private firms have also adopted this practice, both as a means of categorization as well as a clever marketing tactic. However, as no central authority or naming convention exists in the private cyber-security industry, this has resulted in threat actors accruing a number of sobriquets, including Gamaredon, also known as Gamaredon Group, Pteradon, Pterado, Operation Armageddon, Callisto, Primitive Bear, Resetter, FRAUDROP, TEMP.Armageddon and likely many others.

Gamaredon is a group which has been active since at least 2013 and which has, with only minor deviations, focused its efforts on targets in Ukraine of military and political significance. This singular regional focus is somewhat unique for Russian OCO, with many of the other groups often exhibiting specialties in particular technologies or industries but being deployed globally. While Gamaredon has been active in Ukraine since the beginning of the Russo-Ukrainian conflict, they have remained relatively obscure compared to many other actors. With that being said, one of the most well-known operations conducted by Gamaredon was the so-called Operation Armageddon, an extensive attempt, lasting more than two years, by the group to infiltrate Ukrainian military and national security establishments through use of CE.

The relative sophistication of their operational security, their perceived motivations, and their almost exclusive focus on Ukrainian national security targets has led many to attribute Gamaredon to Russian security services. This assessment has also been corroborated by the Security Service of Ukraine (SBU), during the so-called Operation Armageddon, where the threat actors were attributed to the 16th and 18th Centers of the Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii, better known by their acronym, FSB. If this assessment is accurate, it would be the second major team which is suspected to originate from within the halls of the FSB, alongside the group known as Turla, a prolific actor which has been accused of targeting Europe and the United States of America since at least 2008. This divergent targeting — Turla is accused of focusing on at least 35 countries in 2019 alone, while Gamaredon is suspected of having only focused on two countries over nearly seven years of operation — demonstrates a unique prioritization by the Russian government in its targeting preferences.

As with many large-scale government operations, while much is known of the outcome, the logistical and support tasks are often overlooked. Such is the case with Operation Armageddon, which is often observed solely through the macro lens of the modern media cycle, which delivers the crescendo without examining the entire composition. Indeed, from what can be discerned, the preparatory work for Operation Armageddon appears to have begun at least a year and a half prior, in mid-2013. These initial dates are generated from file timestamps, a type of metadata contained in the malicious software (also known by the popular concatenation malware) showing when it was last modified. Additionally, around the same time period, the actors began the task of setting up infrastructure — such as domain names and servers from which to conduct their operations. While none of this preparatory work is particularly unique to Gamaredon specifically, or the Russian government generally, what it demonstrates was the extensive commitment to logistics and complicated planning efforts of the Russian government to this operation, especially as it carried on for nearly two years.

The initial efforts, by Gamaredon, to target Ukraine broadly appear to have begun shortly before the 10th Yalta Annual Meeting, whose theme was “Changing Ukraine in a Changing World: Factors of Success” and which was held in September 2013. This annual gathering, which began in 2004, and which describes itself as an “… open platform to discuss and look for new ideas and views on paths to European, Ukrainian and global development …” The 10th iteration of this conference included a speech by a senior EU official on the topic of Ukraine’s progression towards governmental relations with the EU, specifically towards the Association Agreement (AA), which would see increased trade between EU members and Ukraine, while reducing reliance on Russia and the Commonwealth of Independent States. While Moscow, at the time, was looking to maintain the status quo with Ukraine, it felt it needed to address the potential threat of a move away from Russia.

Gamaredon’s efforts initially began by employing spear phishing against certain Ukrainian officials who would be attending the conference. Phishing is the practice of sending thousands of emails to individuals with links or attachments in the hopes of a victim infecting their system (the bite); spear phishing is the same practice but only targeting a selected group of people, often with highly convincing email content (the lure). While spear phishing, generally, is very common amongst threat actors, Gamaredon distinguished themselves through the use of extremely well-researched topics which would be of relevance to their intended victims, as well as content which was both realistic and compelling. This level of well-researched and developed spear phishing content continues to remain a hallmark of Gamaredon to this day, with many emails featuring official content, some of which has been stolen from past compromises, from the Ukrainian government.

For the victims who were successfully phished, their systems were infected with malware which allowed the Russian operatives to not only access the infected-officials’ systems and the data contained on them, but would also allow them to watch their Ukrainian marks’ activities in real time, and even impersonate them when they were away from their keyboards. While it remains unknown exactly what the Russian operatives had access to, and how that may have affected Russo-Ukrainian relations at the time, it stands to reason that Russia acquired significant data on the future multilateral negotiations between Ukraine and the EU.

These initial salvos of spear phishing, however, were only the beginning in Gamaredon’s activities, though their operational objective appears to have shifted from politically-motivated espionage to more traditional military intelligence following the removal of pro-Russian Ukrainian President Viktor Yanukovych during the 2014 Ukrainian Revolution. These salvos, often conducted in waves which are referred to as campaigns, appeared to align with conventional kinetic pro-Russian operations including: the 2014 Ukrainian Air Force Il-76 shootdown; and the shootdown of Malaysian Airlines flight MH17, with each featuring salient content targeted at their intended victims and distributed no more than a day later in both cases. Further, upon the agreement that Ukraine would withdraw its forces, the campaigns appeared to cease altogether. This same frequency and pattern of activity would continue throughout the Russo-Ukrainian conflict, and, indeed, would become another hallmark of Gamaredon, with operations resuming or increasing during periods of heightened tension, and reducing or ceasing altogether during periods of detente. Even at the time of writing, the group continues to operate with the ebbs and flows of the conflict, with a great consistency in its TTPs, appearing to adhere to the old adage, “if it ain’ broke, don’t fix it.”

Throughout the operation, Gamaredon demonstrated a willingness to make corrections or take different tacks as required, as well as continuing to improve their tools and operational security, both for effectiveness and efficiency. While such corrections are common in many CE operations, it further reinforces Gamaredon’s interest in maintaining its tailored access operations within a subset of Ukrainian government departments. This singular focus, especially in more recent operations, has permitted the group to commit significant resources to the development of tools used exclusively by the group, as well as ensuring freedom of movement of the group through efforts to obfuscate detection of those tools by commercial security products.

While the Russo-Ukranian conflict has challenged many geo-political norms, it has also caused many to reconsider theories of warfare, especially with an explosive growth in the use of Information Operations in the realm of OCO. One of the chief agents of this change has been Russia, in its continuous targeting of Ukraine, especially through the suspected-FSB led group Gamaredon. This group has remained heavily active and focused on Ukrainian national security targets since at least 2013, especially in its conduct of Operation Armageddon. However, with the Russo-Ukrainian conflict remaining in a fog of war-and-detente, Gamaredon shows no signs in reducing its overall operational tempo, nor realigning its focus outside of Ukraine. Gamaredon has demonstrated value in their OCO abilities, especially in CE, but also in their ability to impact the information space and instill a sense of insecurity in those tasked with defending Ukraine’s networks.

Featured image: Movement of heavy weaponry in eastern Ukraine. Licensed under CC by 2.0.

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.

About Ian Litschko

Ian Litschko is a Threat Intelligence Analyst.