Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine
Apr 14, 2025 6:00 AM For the past decade, this group of FSB hackers—including 'traitor' Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders. ANIMATION: JAMES MARSHALL
Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia's GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla group has hijacked satellite internet connections to steal victims' data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.
The hackers, believed to work in the service of Russia's FSB intelligence agency, aren't known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group.
'They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,' says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.
ESET has tracked Gamaredon as it's breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. 'Their operation is highly effective," says Robert Lipovsky, a malware researcher at ESEThe adds. "Volume is their big differentiator, and that's what makes them dangerous.'
If Gamaredon doesn't behave like other Russian hacking groups, that's in part because some of them aren't Russian nationals—or weren't, technically, until 2014.
According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began.
'They are officers of the 'Crimean' FSB and traitors who defected to the enemy,' reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like 'power plants, heat and water supply systems.'
The group's initial access techniques, ESET's Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary.
'People sometimes don't realize how big a part 'persistence' plays in the phrase APT,' says John Hultquist, chief analyst for Google's Threat Intelligence Group. "They're just relentless. And that itself can be kind of a superpower.'
In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon's hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having 'betrayed their oath' by voluntarily joining the FSB.
For Gamaredon's former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. 'They should have given you a medal,' one team member says to another in the Russian-language conversation. 'Screwed one more time.'
Given how mind-numbingly workaday their hacking campaigns are, it's no wonder they complained about their working conditions, says Google's Hultquist.
"Drudgery is so core to their operations,' he says. "This group grinds out wins."
As disgruntled as Gamaredon's hackers may be, defending against their constant barrage of spying attempts is at least as difficult and boring, say some of the defenders tasked with tracking them. The group writes its malware in relatively unsophisticated scripting languages like VBScript and Powershell rather than the C++ used by savvier hackers. But Gamaredon tweaks its humdrum code constantly, sometimes with automated changes to create endlessly differentiated versions designed to defy antivirus, according to ESET, whose anti-malware products are used widely across Ukraine.
In some cases, the hackers infect the same machine with numerous malware specimens, and hit so many targets that ESET hasn't even been able to identify all of the group's victims, despite closely tracking Gamaredon's campaigns.
'It's exhausting work,' says Anton Cherepanov, an ESET malware researcher. 'People overdose and get burnt out.'
Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers. A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility, though it usually confines itself to mere intelligence gathering on behalf of the Russian military effort.
The same report notes that once Gamaredon infects a machine, it often starts stealing files in as little as 30 minutes. By the end of a week, if the machine remains infected, the hackers will have installed 80 to 120 variants of its malware on the computer. If defenders fail to delete even one, the hackers keep their foothold and can maintain access to that device.
All of that means Gamaredon represents a challenge that's painfully dull for cybersecurity defenders, but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death.
'They're not interesting,' ESET malware researcher Zoltán Rusnák says. 'Just dangerous.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
21 minutes ago
- Yahoo
Ukraine reports casualties in 'most powerful attack' on Kharkiv
Ukrainian authorities reported several casualties early on Saturday following heavy Russian airstrikes on the eastern Ukrainian city of Kharkiv. In a post on Telegram, Mayor Ihor Terekhov said three people were killed and 17 others injured in what he called the most powerful Russian attack on the city since the war began more than three years ago. Terekhov said Kharkiv was hit by 48 Shahed drones, two missiles and four guided bombs. "Kharkiv is experiencing the most powerful attack in the entire history of the full-scale war," he said. During the course of the Ukraine war, now in it's fourth year, Russia has illegally annexed four eastern Ukrainian territories, as well as in 2014 occupying the Crimean peninsula to the south. The Kharkhiv region borders the front line to the east, with the Russian border to the north, and is often the target of Russian attacks.
Yahoo
2 hours ago
- Yahoo
Russia launches one of war's largest air attacks days after Ukraine's bomber raid
Russia launched a barrage of drones and ballistic missiles across broad swaths of Ukraine early Friday, killing at least six people and injuring dozens of others, days after Kyiv launched a daring raid on Moscow's fleet of strategic bombers. For residents of Kyiv, the night's soundtrack was familiar: the shrieking whir of drones, air raid sirens and large explosions overhead – whether from air defenses successfully downing missiles, or projectiles puncturing the capital. Three firefighters were killed in Kyiv, two civilians were killed in Lutsk, and another person was killed in Chernihiv, according to the Ukrainian State Emergency Service. Ukrainian President Volodymyr Zelensky said Russia had used more than 400 drones and 40 missiles in the overnight attack, putting it among the war's largest. He said Moscow's attack injured 80 and targeted 'almost all' of Ukraine, listing nine regions, from Lviv in the west to Sumy in the northeast. Although Russia has pummeled Ukraine almost daily over three years of full-scale war, Ukrainians had been bracing for retaliation since Sunday, when Kyiv launched an audacious operation that struck more than a third of Russia's strategic cruise missile carriers. In a call with his US counterpart Donald Trump on Wednesday, Russian President Vladimir Putin said that Moscow would have to respond to Kyiv's assault. Speaking aboard Air Force One on Friday, Trump told reporters Ukraine 'gave Putin a reason to go in and bomb the hell out of them last night.' Russia's Ministry of Defense said its strikes were in response to what it called Kyiv's 'terrorist acts.' It was not immediately clear if the attack was the extent of Russia's pledged retaliation, or if Putin intends to escalate further. After the embarrassment of Kyiv's operation, there was a chorus of bellicose calls from pro-Kremlin pundits for a severe – potentially nuclear – response. Although Ukrainians had been buoyed last weekend by the news of Kyiv's successful operation, many were wary of how Russia might strike back. But after Friday's strikes, Kyiv residents told CNN they supported Ukraine's strikes against the aircraft Moscow has used to bomb Ukraine for more than three years. 'It didn't break us at all. The morale is as high as it was. We strongly believe in our armed forces,' said Olha, a 39-year-old from the capital who did not wish to give her last name. She said the apparent 'retaliation' from Russia was not so different to countless other nights of the war. 'Maybe (this was the retaliation), but maybe the retaliation is yet to come. Either way, it doesn't change our attitude towards the enemy or towards our country.' Meanwhile, Ukraine's general staff on Friday said it launched overnight strikes on two Russian airfields, where it said Moscow had concentrated many of the aircraft that had not been damaged in Kyiv's 'Spiderweb' operation last weekend. Ukraine stressed that the operation, which blindsided the Kremlin, had targeted the planes that Russia uses to launch missile strikes on Ukrainian cities and kill civilians. After Russia's large-scale attack Friday, Ukraine's Foreign Minister Andrii Sybiha said Moscow had 'responded' to its destroyed aircraft by once again 'attacking civilians in Ukraine.' As daylight broke, images from Kyiv showed flames rising over apartment buildings and firefighting crews at work, with residents picking through the debris of damaged apartments. Several cars parked in the streets below were covered with shards of glass and slabs of masonry torn from the walls of residential buildings. Ukraine's air force said Russia's barrage comprised 407 drones, six ballistic missiles, 38 cruise missiles and an anti-radar missile. Of those 452 projectiles, the air force said it had downed 406, including 32 of the cruise missiles and four of the ballistic missiles. The other two ballistic missiles did not reach their targets, it added. The strikes also hit Chernihiv, near the border with Belarus, which was rocked by 14 explosions from drones and ballistic missiles, including cruise missiles and Iskander-M missiles, local officials said. Five others were wounded in strikes in the northwestern city of Lutsk, near the border with Poland. Footage geolocated by CNN showed at least four missiles slamming into the city, kicking up fiery explosions on impact. The Russian Ministry of Defense said it had also intercepted and destroyed 174 Ukrainian drones from Thursday evening to early Friday morning and had destroyed three Ukrainian Neptune-MD guided missiles over the Black Sea. All week, Ukrainians have been bracing for Russia's retaliation to last weekend's drone attack, which struck 34% of Moscow's nuclear-capable bombers stationed at airfields as far away as Siberia. On Tuesday, Ukraine also launched an attack on the Kerch Bridge, the only direct connection point between Russia and the annexed Crimean Peninsula, with 1,100 kilograms of explosives that had been planted underwater. After Trump's call with Putin on Wednesday, the US president said his Russian counterpart had told him that Moscow would have to respond to Ukraine's assaults. Trump's account of the call gave no indication that he had urged Putin to temper his response, to the dismay of many in Ukraine. 'When Putin mentioned he is going to avenge or deliver a new strike against Ukraine, we know what it means. It's about civilians,' Ukrainian lawmaker Oleksandr Merezhko told CNN earlier this week. 'And President Trump didn't say, 'Vladimir, stop.'' Despite Trump's support for recent peace talks in Istanbul between Ukraine and Russia, on Thursday he signaled that he may be adopting a more hands-off approach, likening the war to a brawl between children. 'Sometimes you see two young children fighting like crazy,' Trump said in the Oval Office, while German Chancellor Friedrich Merz looked on silently. 'They hate each other, and they're fighting in a park, and you try and pull them apart. They don't want to be pulled. Sometimes you're better off letting them fight for a while and then pulling them apart.'
Yahoo
2 hours ago
- Yahoo
Ukraine's drone strike on Russia spurs global military rethink, raises U.S. preparedness concerns
Ukraine's drone attack on Russia last weekend was a technological and intelligence game changer. It will reshape not only how the United States bolsters its military, but how the entire world does — allies and adversaries alike. While defense specialists examined the feat in the days since the attack and Ukraine celebrated its success, the question remains: How prepared is the U.S. to use and fend off this emerging tech in warfare? Not well enough, former Utah Rep. Chris Stewart told the Deseret News. Stewart spent 14 years as a pilot in the Air Force and served on the permanent Select Committee on Intelligence while he was in the House of Representatives. He argued that President Volodymyr Zelenskyy's attack, which took more than a year and a half to plan, was 'brilliantly planned' and 'brilliantly executed.' It was a 'dramatic event' that will reshape military thinking globally, Stewart said. On June 1, more than 100 Ukrainian drones targeted military airfields and warplanes in Russia that held equipment used in the more than three-year war. Zelenskyy shared a thread online celebrating his military's success in the mission, nicknamed 'Spider Web.' The attack was unique because it demonstrated Ukraine's ability to conduct a successful mission without intelligence assistance, it struck deep into Russian territory, destroyed billions of dollars of Russian equipment and came at a very low cost to Ukraine. The attack consisted of 117 unmanned drones, each with a drone operator. Drones were smuggled into Russia and placed in wooden containers that had remote-controlled lids. The drones then 'took off to strike their targets,' which were at four different Russian airfields, Ukraine's Security Service said. Ukraine said 41 Russian aircraft were hit by their drones, dealing Russia a blow of an estimated $7 billion. Zelenskyy touted that one of the targeted locations was directly next to one of the FSB Russian security service offices and Russia had 'suffered significant losses.' Zelenskyy said Ukraine will continue to propose a 'full and unconditional ceasefire' and work toward peace with Russia, but its June 1 attack may have pushed Russia further away from the negotiating table. Stewart argued that the attack, while largely successful in its goal of targeting some of Russia's prized possessions, is also a 'destabilizing event.' 'It was an attack, direct attack on an asset that Vladimir Putin considers his highest priority and I worry a little bit about the implications of that,' he said, later adding, 'I'm not saying Zelenskyy shouldn't have done it, I'm just saying … one of the outcomes for that is it's going to make … the peace negotiations that are taking place much harder.' President Donald Trump — who was apparently not aware of Ukraine's attack ahead of time — spoke with Russian President Vladimir Putin on Wednesday. According to Trump, Putin said he would respond to the drone attack. It was a 'good conversation,' but not one that would lead to immediate peace, Trump said. Hours later, Russia struck the Ukrainian city of Pryluky, killing at least five people, including a 1-year-old child. On Friday, Russia launched one of its largest aerial attacks of the war, bombing six Ukrainian regions. The attack included 407 drones and 33 missiles. It killed four people, Ukraine said. As Ukraine balances protecting its front lines and cities, continuing its counteroffensive against Russia and seeking to strike a peace deal, the escalation raises questions about what the recent attack means for the United States and its adversaries. Stewart noted that the conflict between Russia and Ukraine has been interesting to watch because, in some ways, they are fighting a World War I-style war through trench warfare, but the use of unmanned drones in the battlefield has escalated fighting to World War III-level combat. The drones used by Ukraine aren't 'sophisticated weapons' by any means, Stewart pointed out. They aren't much different than drones seen flying in the park on weekends. However, if they're deployed strategically, they can cause 'enormous damage,' as seen by Russia. 'Last Friday, could you have imagined what happened in Russia over the weekend? And the truth is is no one did. And that's just one example of, we don't know really how this is going to change and be implemented and we're probably not nearly as prepared as we should be,' Stewart said. He also highlighted how Russia and Ukraine have 'leapfrogged' one another throughout the war. If Russia develops a drone with a new capability, Ukraine will develop a superior one weeks later, and so on. The technology itself is rapidly evolving in the war, Stewart said. 'Going back three years, if you had talked about how will drones affect the war in Ukraine, everyone would have shrugged their shoulders and said, 'Well, I'm not sure,' or they would have said, 'Well, probably not a lot,'' he said. 'And the answer to that question is, it impacted it greatly.' During a briefing on Tuesday, White House press secretary Karoline Leavitt said Ukraine's drone attack 'absolutely does' raise questions about the United States' security. She pointed to Trump's 'big, beautiful bill' and the expansion of defense funding to bolster the U.S. military as it examines how to respond to the emergence of drone usage. 'The president has a full understanding, I can tell you because I've spoken to him about it, about the future of warfare and how drones are a big part of that, and I will not get ahead of our policy team, but I think you can expect to see some executive action on that front in the very near future,' she said. Evelyn Farkas, a former U.S. deputy assistant secretary of defense, said she believes the United States doesn't have the capability to protect against swarms of drones, should an adversary launch an attack. It's something the Department of Defense would need to look at, both domestically and at its overseas bases, she said. But bolstering U.S. military operations would need to start with production. Most drones are being produced overseas, including by U.S. adversaries like China. 'Now that they've used them to strategic effect, it will be even more urgent for the United States to improve its drone capability and to invest in drones,' Farkas, who is the executive director of the McCain Institute, said. The attack over the weekend proved that while drone warfare is not entirely a new operational tactic, the strategy behind using them changed the game. Stewart argued the attack also proved there are two major issues facing the U.S. as it stands on the sidelines of the current war: drone defense and implementation plans need to be drafted, and the supply chain needs to be less dependent on China. China, Stewart noted, has also been successful in purchasing land near U.S. military installations globally. Commanders have likely spent the last several days reviewing how to protect assets after seeing Ukraine launch drones into Russian bases at a very close range, he said. 'They weren't really particularly worried about the aircraft sitting out on their tarmac, and it turned out they should have been, right?' he said of the Russian military, later adding, 'I think people are looking at that differently now than they were.' The U.S. military has said it must invest in drones, commonly called unmanned aircraft systems or UAS. Secretary of the Army Dan Driscoll said in a post online that modernization is critical to U.S. national security. 'Investing in UAS isn't optional — it's essential for battlefield dominance, enhancing precision and protecting Soldiers,' he said. Air Force Gen. David Allvin highlighted the need for technological advancement and investment, pointing to Ukraine's attack. 'In today's environment not every asset must be exquisite/expensive. Look what Ukraine just did,' he said in a post online. 'We can't afford to walk by assets like this that generate lethal effects.' Hoover Institution fellow Jacquelyn Schneider has long argued that the U.S. needs to invest in low-cost technology to advance its military. In a 2023 op-ed, she expanded on her research and argued that the U.S. military has ended up in a paradox. It chased emerging technology that made weapons so expensive that upgrading them would be difficult. It left the Pentagon with a stockpile that was 'neither good enough nor large enough' for its plans, Schneider argued. 'The United States also underprioritized technology that would rein in the cost of logistics, maintenance, and replenishment, opting instead for high-tech weaponry patched together with fragile and outdated software,' she wrote. Schneider said the U.S. needs to 'urgently' prioritize technology that would cut warfare costs and admit it cannot replace all of its systems. High-cost technology should be complemented with cheaper options, she said. 'If the United States hopes to persevere against Russia in the short term and China in the long term, it must consider the economic impact of technology even as it pursues technological advantage,' Schneider wrote. Farkas agreed. The United States has an undeniable issue by having 'very expensive systems that are now vulnerable to foreign drones,' she said. War is a 'great accelerator,' Stewart said of technological advancements. It just depends on if the U.S. military will use it properly, he argued. 'The problem on the defense spending side is, we're just not spending the money we should. The bigger problem is, are we spending it right?' he questioned. 'It doesn't do us much good to buy $50 million Predator drones when we know now that a $500 plastic drone can do nearly the same thing.' Stewart said one of his largest concerns after Ukraine's attack is how the U.S. will respond. It's a pressing issue for the industry and the Pentagon as it grapples with rapidly evolving technology and the price tag of modern warfare. 'Will we spend it in the right way and are we keeping up with technology?' he asked, saying he hopes the administration is prompted to ask those questions after Ukraine's attack.
