The hackers were based in Crimea, shielded by the Russian government, which had occupied the area in 2014, and far from the reach of the Security Service of Ukraine. The Ukrainian team was watching Armageddon from afar to learn the ways of its enemy. It quietly studied the hacker group’s cyber weapons, intercepted phone calls and even ousted its alleged leaders. Armageddon is not the most advanced of the Russian government-linked hacker groups that have attacked Ukraine, but it is one of the most productive. In 5,000 different attempts, it has released increasingly effective malware hidden in cleverly designed emails to spy on Ukrainian government agencies. However, after the Russian invasion on February 24, its latest attacks were largely resisted by Ukraine’s deep knowledge of Armageddon’s signature moves. “What is the best time to study your enemy?” “Long before the match,” said a Western official, who asked not to be named. “This is especially true when you have no choice but to react.” According to Western and Ukrainian officials, as well as cyber experts, Armageddon’s long-term surveillance and response is just one example of a “persistent defense” that has enabled Ukraine to repel a staggering number of cyber-attacks in recent weeks. This allowed the country to show the same resilience on the internet as its troops on the ground. This harshness comes from years of preparation and sometimes recovery from sophisticated Russian cyber attacks, including one that cut off power to some parts of Kiev in 2015. A year later, retired U.S. Navy Admiral Michael Rogers, who headed the U.S. Cyber ​​Command and was the former head of the National Security Agency, sent the first teams of U.S. troops to help strengthen the Ukrainian government. He said the missions allowed the Americans to “look at Russian merchant ships, look at Russian malware, look at the specifics of how Russian entities tend to operate in cyberspace.” Earlier this month, that preparation paid off. Ukrainian officials, with the help of Western cybersecurity companies, have discovered high-quality malware from a different hacking group called Sandworm, hiding inside computers at a power plant that serves millions. It was scheduled to begin deleting files on April 8, repeating successful hacks of Ukrainian power grids in 2015 and 2016, also by Sandworm, which is affiliated with the GRU, Russia’s military intelligence service. “It was an important milestone, watching Sandworm finally raise its head,” said Max Heinemeyer, a former hacker now working for Darktrace, the cyber security team. With Armageddon the Ukrainians applied the same tactic: observe, learn and prepare. “You have to know your enemies for years to be able to predict their actions,” said Shmuel Gihon, a security researcher at Israel-based Cyberint. Armageddon is a serious opponent, he said, “one of the most talented.” At one point, the Ukrainian team watched – and posted on YouTube – phone calls between two men who later identified themselves as Russian internal security officers, complaining about their annual bonuses and not receiving medals, and discussing a specific hack that allowed them to seize the data. an encrypted USB stick in a few seconds connected to a computer. Two Western officials have confirmed the authenticity of the calls. Armageddon’s tactic was to marry an old trick – to lure someone into a government network into clicking on an email attachment – with increasingly sophisticated versions of malware. The goal of the hacker team is not to destroy. It is to hide inside organizations and gather information. Over the years, Armageddon has targeted 1,500 Ukrainian institutions. Kiev officials did not say how many were successful. In recent weeks, Ukrainian officials say, emails believed to have come from Armageddon have mimicked official announcements of ships entering Crimean ports, lists of military equipment requested by Ukraine, and a list of Russian war criminals identified by Ukrainian authorities.

In a suspicious case, which is still being investigated, the appendix promised to lift the veil of one of Ukraine’s state secrets and alleviate the anxiety of anyone with their family in the war effort. The attachment was titled “Information on the losses of the Ukrainian army”, according to Yurii Shchyhol, head of the State Special Service of Communication and Information Protection of Ukraine. “This is information that almost everyone involved in the hostilities will read today,” he said. By clicking on these emails, the previously invisible piece of malware, nicknamed Pseudosteel, secretly snatched text, PDFs, PowerPoints, and other files and sent copies to a remote server, according to a malware analysis performed on them. Financial Times by Dick. O’Brien, chief information analyst at Symantec’s US-based Threat Hunter team. Symantec found, for example, that anyone who made the malware was a careful cleaner. The attacker knew, for example, that some of the infected computers might have partitioned their hard drives, so he taught the malware to search for files in those areas that were blocked by walls. However, Pseudosteel has clear drawbacks. The creators forgot that not every infected computer has the specific file required to run malware successfully. In fact, O’Brien said, only a handful of them would do so, making the malware less effective than planned. Also, the reverse engineering of Pseudosteel by Symantec means that it is less likely to avoid advanced antivirus software. But Armageddon has become more inventive lately. Hackers recently wrote 100 different versions of a “Trojan backdoor” or malware designed to provide unwanted access to launch a remote attack. They also appear to have attempted to infect the same computer with various malware to avoid detection. “It’s the equivalent in cyberspace of trying to overwhelm defenses with pure force of numbers,” O’Brien said. But Ukraine’s defenses have shown the ability to withstand the rapid-fire techniques of a team like Armageddon. “You saw [the Ukrainians]”Over time, develop more know-how, ability, knowledge and experience,” said Rogers, the former head of US Cyber ​​Administration. “And you see it playing now. “You have to give them credit: they have withstood a lot of Russian activity against them.” Video: The battle of the radio waves of Ukraine

#techFT

#TechFT brings you news, feedback and analysis on the big companies, technologies and issues that shape this fastest moving field from experts based around the world. Click here to receive #techFT in your inbox.