Ukraine intelligence doxed 5 FSB Officers that are members of Gamaredon APT Group

Ukraine’s premier law enforcement and counterintelligence revealed the real identities of five FSB members behind the Gamaredon cyberespionage group.

Ukraine’s premier law enforcement and counterintelligence disclosed the real identities of five alleged members of the Russia-linked APT group Gamaredon (aka Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) that are suspected to be components of the Russian Federal Security Service (FSB).

According to the Security Service of Ukraine (SSU) Cyber Security Department, the group carried out over 5,000 cyberattacks against public authorities and critical infrastructure of Ukraine. 

The five individuals are Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy during the occupation of the peninsula in 2014. The SSU has managed to identify the perpetrators’ names, intercept their communication and obtain irrefutable evidence of their involvement in the attacks. All of that, despite the fact that they used the FSB’s own malicious software and tools to remain anonymous and hidden online. 5 members of the group have been notified of suspicion of treason.” reads the announcement published by the SSU.

“The ARMAGEDON hacker group is an FSB special project, which specifically targeted Ukraine. This ‘line of work’ is coordinated by the FSB’s 18th Center (Information Security Center) based in Moscow.”

Ukrainian authorities revealed that the individuals are officers of the ‘Crimean’ FSB,’ for this reason they are considered traitors who defected to the enemy during the occupation of Crimea in 2014.

The Gamaredon group was first discovered by Symantec and TrendMicro in 2015, but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. In December 2019, the APT group targeted several Ukrainian diplomats, government and military officials, and law enforcement.

The group relied on both legitimate, publicly available software products and custom malware, such as the Pterodo/Pteranodon backdoor.

The investigation is still ongoing, government experts are collecting forensic evidence to bring the charge the individuals for espionage and unauthorized access to computer networks.

“The activity and development of the hacker group “Armageddon” during 2014-2021 has led to the existence of a new real cyber threat. In the period 2017-2021 this group implemented the most numerous cyberintelligence actions on various vectors of public administration. Armageddon does not use complex and sophisticated techniques, tactics and procedures, does not try to make an effort to stay secret for a long time.” reads the report published by the SSU. “Staying off the radar is not a group priority. However, the group’s activities are characterized by intrusiveness and audacity. It is evidenced by the name of the group “Armageddon”, which is taken from the information contained in the metadata of the first created documents-baits; cyber attacks algorithm repeatability and regular mass sending of malicious messages to the same circle of addressees; derogatory password phrases encoded in malicious software, etc.”

“The SSU is continuously taking steps to contain and neutralize Russia’s cyber aggression against Ukraine.” concludes the announcement. “The SSU Cyber ​​Security Department, the SSU investigators carried out the operation jointly with the Main Intelligence Directorate of the Ministry of Defense of Ukraine and under the supervision of the Prosecutor General’s Office.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

[adrotate banner=”5″]

[adrotate banner=”13″]