Safety Detectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

Ukraine Detects Russian-Linked 'Armageddon' Phishing Attacks

Colin Thierry
Colin Thierry
Colin Thierry Colin Thierry

The Computer Emergency Response Team of Ukraine (CERT-UA) has spotted new phishing attempts attributed to the Russian threat group tracked as Armageddon (Gamaredon).

The malicious emails attempt to trick the recipients with decoys themed after the war in Ukraine in order to infect the target systems with espionage-focused malware.

CERT-UA has identified two separate phishing campaigns, one targeting Ukrainian organizations and the other targeting government agencies in the European Union.

Armageddon is a Russian state-sponsored threat actor that has been targeting Ukraine since at least 2014 and is considered part of the FSB (Russian Federal Security Service).

According to a detailed technical report published by the Ukrainian secret service in November, Armageddon has launched at least 5,000 cyber-attacks against 1,500 critical entities in the country.

The Ukrainian forces had previously identified members of the Armageddon cyber-force, exposed their toolset, and traced custom malware development efforts to Russian hacking forums.

Ukraine and EU Phishing Campaigns

Armageddon’s Ukraine-targeting campaign distributes emails on “Information on war criminals of the Russian Federation” to various government agencies in the country.

The emails, sent from “vadim_melnik88@i[.]ua”, contain an HTML attachment that CERT-UA says currently has low detections by security software. If opened, a RAR file is automatically created and dropped on the computer, supposedly containing the identification details of Russian war criminals in Ukraine in a shortcut file (.lnk).

In the campaign targeting various EU government officials, Armageddon uses RAR archive attachments named “Assistance” and “Necessary_military_assistance.” Those archives contain shortcut files (.lnk) that supposedly include lists of things needed for military and humanitarian assistance to Ukraine during the war.

The sender’s address is “info@military-ukraine[.]site”, which may pass as legitimate. The signee is supposedly the Deputy Commander for Armaments and Major General in Ukraine.

The CERT-UA has confirmed at least one case of these emails reaching the inbox of the Latvian government so far.

About the Author
Colin Thierry
Colin Thierry
Writer

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.