The world of cyber espionage is dominated by the flashy and the bold. Russian state hackers, such as the notorious Sandworm unit and Turla group, are known for their sophisticated techniques and devastating attacks. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.

The Unassuming Threat

Gamaredon's hackers are believed to work in the service of Russia's FSB intelligence agency. While they may not be as sophisticated as other Russian hacking groups, their sheer volume of attacks makes them a formidable threat to Ukraine.

"They are the most active state-aligned hacker group attacking Ukrainian organizations, by far," says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.

The Origins of Gamaredon

According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began.

"They are officers of the 'Crimean' FSB and traitors who defected to the enemy," reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems.

The Tactics of Gamaredon

Gamaredon's initial access techniques consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine.

Those relatively basic tactics have hardly changed over the years, but their impact is still significant.

The Evolution of Gamaredon

Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers.

A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility.

The Impact of Gamaredon

Defenders say that dealing with Gamaredon is "painfully dull" but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death.

"They're not interesting," ESET malware researcher Zoltán Rusnák says. "Just dangerous."