The Russian hacking group Armageddon has launched a sophisticated cyberattack campaign, targeting thousands of Ukrainian government information systems. According to the Ukrainian computer Emergency Response Team (CERT-UA), the hackers employed malicious Telegram and WhatsApp messages as the primary vector, containing the GammaSteel info stealer disguised as image or document attachments.
Once activated, the malware remained active for 30 to 50 minutes, infecting media files and Microsoft Office Word templates, enabling it to generate 80 to 120 malicious files per week and infecting numerous systems belonging to various Ukrainian public offices simultaneously.
The campaign’s main objective was information theft and gaining remote access, achieved by installing the AnyDesk remote desktop application, while the attackers also executed PowerShell commands to exfiltrate cookies, bypass two-factor authentication, and avoid detection. CERT-UA, upon analyzing the threat intelligence data, revealed the campaign’s extent and impact, highlighting the need to take immediate measures to address the threat.
To reduce the attack vector associated with Armageddon, CERT-UA advises limiting the execution of certain processes, such as Windows, command-line, and PowerShell scripts.
Armageddon, tracked as UAC-0010 by CERT-UA, is composed of former officers from the Security Service of Ukraine in Crimea, who later became part of the Russian intelligence service in 2014. The group is known as one of the most active Russian advanced persistent groups involved in cyberespionage campaigns against Ukraine since the Russian invasion in February 2022. This recent escalation in attacks highlights the ongoing challenges in countering cyber threats from state-sponsored hacking groups and underscores the need for enhanced cybersecurity measures to protect critical government systems and infrastructure.