Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare
By Jason Lewis
The LookingGlass Cyber Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... Group (CTIG) has been monitoring an active Russian state-sponsored cyber espionage campaign targeting Ukrainian government, law enforcement, and military officials in order to steal information that can provide insight into near term Ukrainian intentions and plans. Dubbed “Operation Armageddon” due to the author’s name used in a Word document used in the attacks, the campaign has been active since at least mid-2013.
The Security Service of Ukraine (SBU) has released at least two statements publicly regarding these attacks, in September 2014 and March 2015. The SBU has attributed these attacks to specific branches of the Russian Federal Security Service (FSB). CTIG’s findings support the statements made by the SBU.
What makes this campaign interesting is the motivation for the attacks: obtaining an advantage in kinetic warfare against Ukraine. Through extensive temporal and technical analysis, the CTIG has found evidence that correlates waves of Operation Armageddon with Russian military activity in and around Ukrainian conflict areas. It is clear that Russia continues to advance their information warfare components of their overall modern warfare strategies in order to further their global interests.
The earliest activity associated with the campaign started due to the Ukrainian government’s decision to start discussing how to become more economically integrated with the European Union, which Russia saw as a direct threat. As major political events unfolded and social unrest ensued, Russia asserted their physical presence on Ukrainian soil and increased cyber activities. While the attacks still continue today, threat actors have modified their Tactics, Techniques, and Procedures (TTPs) throughout the course of the campaign to attempt to remain undetected.
The LookingGlass CTIG will continue to monitor for new waves of Operation Armageddon, and will provide updates detailing the findings.
To view the Operation Armageddon report in its entirety, please go to the Resource Center to download the report.