{ "id": "1943f618-4a4f-4d24-a166-090a5a16420c", "created_at": "2026-04-06T00:09:09.868244Z", "updated_at": "2026-04-10T03:37:04.291536Z", "deleted_at": null, "sha1_hash": "f6a0e5aa4904d488f12d88394feb80c4049aa12f", "title": "Ukraine links members of Gamaredon hacker group to Russian FSB", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2158570, "plain_text": "Ukraine links members of Gamaredon hacker group to Russian FSB\r\nBy Bill Toulas\r\nPublished: 2021-11-04 · Archived: 2026-04-05 22:58:31 UTC\r\nSSU and the Ukrainian secret service say they have identified five members of the Gamaredon hacking group, a Russian\r\nstate-sponsored operation known for targeting Ukraine since 2014.\r\nThis Gamaredon hacking group, tracked as Armageddon by the SSU, is allegedly operated under the FSB (Russian Federal\r\nSecurity Service) and is believed to be responsible for over 5,000 attacks in Ukraine since the operation began.\r\nOver the last seven years, Ukraine says the actors targeted over 1,500 government, public and private entities in the country,\r\naiming to collect intelligence, disrupt operations, and take control over critical infrastructure facilities.\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe five men accused of taking part in these attacks were identified by SSU investigators who claim to have unequivocal\r\nevidence of their involvement, coming from communication interceptions.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe investigators underline that they managed to identify the hackers despite using their own custom malware,\r\nanonymization tools, and were generally very diligent in hiding their digital trace.\r\nThe names of the five individuals the SSU claims are part of the Gamaredon operation are Sklianko Oleksandr\r\nMykolaiovych, Chernykh Mykola Serhiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriovych,\r\nand Sushchenko Oleh Oleksandrovych.\r\nIdentities of the five identified Armageddon members\r\nSource: SSU\r\nAll five were reportedly operating under the guidance of the 18th Center of Information Security of the FSB in Moscow.\r\nMoreover, all of them are officers of the Crimean FSB who sided with Russia during the peninsula's occupation in 2014. \r\nAs such, the Ukrainian authorities are also accusing them of treason, espionage, unauthorized inference in the work of\r\nelectronic computers, and distribution and use of malware.\r\nAlthough the five men haven’t been arrested, the SSU sees their exposure as an effective neutralization measure.\r\nEntire toolset and tactics exposed\r\nThe SSU has published a technical activity report on Gamaredon, where they lay down several key points around the\r\ngroup’s toolset and tactics.\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/\r\nPage 3 of 5\n\nThe report says the group is known to use Outlook macros and the deployment of EvilGnome backdoor to compromise\r\nsystems.\r\nOther details include highly targeted vulnerabilities such as the WinRAR CVE-2018-20250 vulnerability, which existed\r\nfor almost two decades, and CVE-2017-0199, a remote code execution flaw on MS Office.\r\nMoreover, it is mentioned that the actors used removable media to plant malware on offline systems and then moved\r\nlaterally in isolated networks, using this tactic from 2014 until 2021.\r\nFinally, a novel malware tool named “Pteranodon” is detailed in the report, which is a modular remote administration tool\r\n(RAT) with powerful anti-analysis and info-collection features.\r\nPteranodon exfiltrating data to the C2\r\nSource: SSU\r\nAccording to SSU, Pteranodon was derived from “Pterodo,” a widely available malware circulating Russian hacking forums\r\nsince 2016.\r\nThe group continued to create new powerful DLL modules for Pteranodon, so it has evolved significantly over the past five\r\nyears.\r\nThe release of these technical details will empower analysts to assign attribution on past attacks and momentarily reduce\r\nRussian state actors' operational effectiveness.\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/" ], "report_names": [ "ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434149, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6a0e5aa4904d488f12d88394feb80c4049aa12f.pdf", "text": "https://archive.orkl.eu/f6a0e5aa4904d488f12d88394feb80c4049aa12f.txt", "img": "https://archive.orkl.eu/f6a0e5aa4904d488f12d88394feb80c4049aa12f.jpg" } }