For years, a small and disparate Ukrainian team including IT experts, intelligence officers, and a criminal prosecutor has kept a wary eye on a group of hackers nicknamed Armageddon.
The hackers were based in Crimea, shielded by the Russian government, which had seized the region in 2014, and out of the reach of the Security Service of Ukraine.
The Ukrainian team watched Armageddon from afar to learn the ways of its enemy. It quietly studied the hacking group’s cyber weapons, intercepted phone calls, and even outed its purported leaders.
Armageddon is not the most sophisticated of Russian government-affiliated hacking groups that have attacked Ukraine, but it is among the most prolific. In 5,000 different attempts, it has unleashed ever more effective malware, hidden within cleverly engineered emails to spy on Ukrainian government bodies.
But following Russia’s invasion on February 24, its latest attacks have been parried thanks, in large part, to Ukraine’s deep knowledge of Armageddon’s signature moves.
“What is the best time to study your enemy? Long before the fight,” said a Western official who asked not to be named. “This is especially true when you have no choice but to react.”
According to Western and Ukrainian officials, as well as cybersecurity experts, the long-running tracking and tackling of Armageddon is just one example of a “persistent defense” that has enabled Ukraine to fend off an astounding number of cyber attacks in recent weeks.
That has allowed the country to show the same resilience online as its troops have on the ground. This toughness comes from years of preparing for, and sometimes recovering from, sophisticated Russian cyberattacks, including one that knocked out the power supply to some Kyiv suburbs in 2015.
A year later, retired US Navy Admiral Michael Rogers, who ran US Cyber Command and was the former head of the National Security Agency, sent the first teams of American soldiers to help bolster Ukrainian cyber defenses. He said the missions allowed the Americans to simultaneously “look at Russian tradecraft, look at Russian malware, look at the specifics of how Russian cyber entities tend to operate.”
Earlier this month, that preparation paid off. Ukrainian officials, assisted by Western cybersecurity companies, discovered high-grade malware from a different hacking group, dubbed Sandworm, lurking inside computers at a power station serving millions.