Researchers at Lookingglass Cyber Solutions outlined details of a cyber-espionage campaign aimed at the Ukrainian government that goes back more than two years.
According to Lookingglass, ‘Operation Armageddon’ has been active since at least mid-2013. The campaign has been targeting Ukrainian government, law enforcement and military officials in an attempt to steal information. The Security Service of Ukraine (SBU) has issued statements attributing the campaign to branches of Russia’s Federal Security Service (FSB).
The campaign’s name was derived from multiple Microsoft Word documents used in the attacks. The word “Armagedon” (spelled incorrectly) was found in the “Last Saved By” and “Author” fields in multiple documents, according to the Lookingglass report.
“The attacks themselves were not sophisticated,” said Jason Lewis, chief collection and intelligence officer at Lookingglass. “Spearphishing is a common tactic. They used it because it works. The interesting part is that they were able to steal documents and then reuse them to attempt to infect other users. The documents that were used as the lure were very authentic and targeted.”
The attack’s timing, the firm said, is tied to Ukraine’s decision to support the Ukraine-European Union Association Agreement, which Russia opposed. The agreement was eventually signed in 2014 after lengthy negotiations.
According to the report, each attack in the campaign has started with a targeted spear-phishing email convincing the victim to either open a malicious attachment or click a link leading to malicious content.
“The attackers use documents either previously stolen from or of high relevance and interest to Ukrainian targets, often government officials, in order to lure their victims into opening the malicious content,” the report notes.
When the most recent samples of malware are executed, a self-extracting archive (SFX) dropper launches a legitimate lure document as well as a script used to download payloads from a remote command and control (C&C) server either operated or compromised by the attackers, according to the report. Older samples from the campaign used either Adobe or Microsoft Word icons, but did not always open a lure document. The payloads have been observed as fake updates for Adobe Flash Player, Internet Explorer or Google Chrome as well as SFX archives.
“There have been several observed instances of multistage payloads with up to three levels of nested SFX archives before the ultimate malware is reached,” according to the report. “Throughout the course of the campaign, the final payloads have been some form of Remote Administration Tool (RAT) – either the “Remote Manipulator System” (RMS), which is a very popular RAT commonly distributed in Russian hacking forums, or UltraVNC, which is a RAT that’s freely available online. These RATs have both been categorized as malicious by the AntiVirus industry. Additionally, early campaign payloads have also included malware that modifies the DNS servers used by victim machines in order to redirect traffic.”
According to Lewis, there was evidence the malware was built on a Russian operating system. Part of why the firm released the report and its indicators was to see if it would spur other researchers to add information about the campaign, he said.
“The cyber component of kinetic warfare appears to be a successful method for reconnaissance,” said Lewis. “Employing cyber espionage in concert with other methods of information gathering appears to be accelerating battlefield tactics.”
