Press Release

LookingGlass Cyber Threat Intelligence Group Links Russia to Cyber Espionage Campaign Targeting Ukrainian Government and Military Officials

LookingGlass Cyber Threat Intelligence Group Links Russia to Cyber Espionage Campaign Targeting Ukrainian Government and Military Officials

Report findings provide fully documented cases and timeline showing cyber warfare and espionage being used in coordination with Russian military activities

ARLINGTON, VA – April 29, 2015LookingGlass Cyber Solutions today released a report by its Cyber Threat Intelligence Group (CTIG) corroborating the Ukrainian government and Security Service of Ukraine’s (SBU) claims that “Operation Armageddon” is a Russian state-sponsored cyber espionage campaign targeting Ukrainian government and military officials. The report, Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare, is one of the first to fully document cases of a cyber campaign and provides a timeline to show how cyber warfare and espionage have been used in coordination with kinetic warfare, battlefield planning, and troop movement, along with other strategic military tactics and assets.

The Ukrainian government and SBU are actively investigating this threat and have issued at least two known official statements in September 2014 and March 2015. LookingGlass started investigating after the SBU first publicly announced the attacks in September 2014.

According to LookingGlass’ CTIG, “Operation Armageddon,” has been an active campaign since at least mid-2013. The campaign reveals a Russian state-sponsored cyber espionage campaign that is designed to give decision-making advantage to the Russian leadership by targeting Ukrainian government, law enforcement, and military officials in order to steal information that can provide insight into near term Ukrainian intentions and plans. Temporal analysis of the campaign indicates a direct correlation between the cyber attacks and the ongoing war in addition to highlighting an alarming blend between cyber espionage, physical warfare, and the driving political forces behind them. Although continuously developed, the campaign has been intermittently active at a small scale, and uses unsophisticated techniques.

The attack timing suggests the campaign initially started due to Ukraine’s decision to accept the Ukraine-European Union Association Agreement (AA), designed to improve economic integrations between Ukraine and the European Union. Russian leaders publicly stated that they believed this move by Ukraine directly threatened Russia’s national security. Although initial steps to join the Association occurred in March 2012, the campaign didn’t start until much later (mid-2013), as Ukraine and the EU started to more actively move towards the agreement.

Each attack in the campaign started with a targeted spear phishing email convincing the victim to either open a malicious attachment or click a link leading to malicious content. The attackers use “Lure Documents” either previously stolen from, or of high relevance and interest to Ukrainian targets, often government officials, in order to lure their victims into opening the malicious content.

“To ensure we fully understand the cyber landscape, we constantly monitor global events to determine the impact they may have on the infrastructure of the Internet; such as new threats, adversaries, outages, etc. In terms of ‘Operation Armageddon’ we honestly expected to see more outages based on prior actions from the Russians against Estonia, but this time it seems they leveraged the Internet to gain a more intel-specific advantage,” stated Chris Coleman, CEO at LookingGlass. “What is unique and exciting about our report is that we have mapped out a timeline correlating the use of cyber espionage to kinetic warfare. Much like during the ‘Cold War’ when everyone knew nuclear submarine war games were going on even though it was not exposed until much later; we all believe that cyber tactics are currently being used to support war efforts. This report simply takes away the uncertainty and adds credence to those beliefs.”

Key Takeaways:

• “Operation Armageddon” is a Russian state-sponsored cyber espionage campaign active since at least mid-2013 and targeting Ukrainian government, law enforcement, and military officials for the purpose of identifying Ukrainian military strategies to aid Russian warfare efforts.
• Russia is a leading nation-state cyber threat actor that uses offensive cyber operations in tandem with kinetic attacks in pursuit of political and military objectives.
• Russia’s 2010 Military Doctrine acknowledges the intensification of information warfare activities as a feature of modern warfare.

The CTIG’s analysis techniques and correlation of attacks to real world events support the notion that the attackers are Russian state sponsored, although they cannot be certain which groups. Further analysis has shown consistent evidence that the malware used in the attacks came from the same group of attackers. Reuse of attacker infrastructure, TTPs, and identical malware samples used in different waves supports this. Also, the password used by the attackers to connect to the infected machines never changed throughout the waves of the campaign.

The CTIG is constantly looking at global events to stay ahead of the curve on what the Internet infrastructure looks like and how different events impact that infrastructure. LookingGlass prides itself on being aware of activities so they can learn from them and share their unique threat comprehension with clients. In the case of “Operation Armageddon,” it started with a curiosity and resulted in very informative findings as to the impact and prevalence of nation state sponsored cyber attacks/initiatives. For more information on these findings or to download the full report, please visit our resource center.

LookingGlass’ threat intelligence management system delivers content, context and confidence in risk and security operations decision support. The LookingGlass product portfolio increases visibility within and beyond the network perimeter, allowing customers to continuously assess and mitigate threats. LookingGlass products are data and feed agnostic, supporting commercial and open source threat intelligence feeds, while delivering proprietary threat and Internet intelligence.

About LookingGlass
LookingGlass, the leader in threat intelligence that transforms security operations, empowers confident real-time decisions through focused verified multi-source information. We provide a unique lens to information customers may already have, creating active intelligence for effective decisions. LookingGlass is transforming the art of threat intelligence with innovative technology that empowers customers with complete and relevant risk information, delivering confidence, streamlining workflows and dramatically driving efficiencies. Our threat intelligence management system delivers content, context and confidence in risk and security operations decision support. This platform increases visibility within and beyond the network perimeter, enabling customers to continuously assess and mitigate threats.