Connect with us

Hi, what are you looking for?



‘Operation Armageddon’ Cyber Espionage Campaign Aimed at Ukraine: Lookingglass

Researchers at Lookingglass Cyber Solutions outlined details of a cyber-espionage campaign aimed at the Ukrainian government that goes back more than two years.

Researchers at Lookingglass Cyber Solutions outlined details of a cyber-espionage campaign aimed at the Ukrainian government that goes back more than two years.

According to Lookingglass, ‘Operation Armageddon’ has been active since at least mid-2013. The campaign has been targeting Ukrainian government, law enforcement and military officials in an attempt to steal information. The Security Service of Ukraine (SBU) has issued statements attributing the campaign to branches of Russia’s Federal Security Service (FSB).  

The campaign’s name was derived from multiple Microsoft Word documents used in the attacks. The word “Armagedon” (spelled incorrectly) was found in the “Last Saved By” and “Author” fields in multiple documents, according to the Lookingglass report.

“The attacks themselves were not sophisticated,” said Jason Lewis, chief collection and intelligence officer at Lookingglass. “Spearphishing is a common tactic. They used it because it works. The interesting part is that they were able to steal documents and then reuse them to attempt to infect other users. The documents that were used as the lure were very authentic and targeted.”

The attack’s timing, the firm said, is tied to Ukraine’s decision to support the Ukraine-European Union Association Agreement, which Russia opposed. The agreement was eventually signed in 2014 after lengthy negotiations.

According to the report, each attack in the campaign has started with a targeted spear-phishing email convincing the victim to either open a malicious attachment or click a link leading to malicious content.

“The attackers use documents either previously stolen from or of high relevance and interest to Ukrainian targets, often government officials, in order to lure their victims into opening the malicious content,” the report notes.

Advertisement. Scroll to continue reading.

When the most recent samples of malware are executed, a self-extracting archive (SFX) dropper launches a legitimate lure document as well as a script used to download payloads from a remote command and control (C&C) server either operated or compromised by the attackers, according to the report. Older samples from the campaign used either Adobe or Microsoft Word icons, but did not always open a lure document. The payloads have been observed as fake updates for Adobe Flash Player, Internet Explorer or Google Chrome as well as SFX archives.

“There have been several observed instances of multistage payloads with up to three levels of nested SFX archives before the ultimate malware is reached,” according to the report. “Throughout the course of the campaign, the final payloads have been some form of Remote Administration Tool (RAT) – either the “Remote Manipulator System” (RMS), which is a very popular RAT commonly distributed in Russian hacking forums, or UltraVNC, which is a RAT that’s freely available online. These RATs have both been categorized as malicious by the AntiVirus industry. Additionally, early campaign payloads have also included malware that modifies the DNS servers used by victim machines in order to redirect traffic.”

According to Lewis, there was evidence the malware was built on a Russian operating system. Part of why the firm released the report and its indicators was to see if it would spur other researchers to add information about the campaign, he said.

“We could also tell if they were using an English or Russian keyboard, and there was a mix of all those things…just the characters that were available…kind of pointed to all those things,” he said.

“The cyber component of kinetic warfare appears to be a successful method for reconnaissance,” said Lewis. “Employing cyber espionage in concert with other methods of information gathering appears to be accelerating battlefield tactics.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...