Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia’s GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB’s ingenious Turla group has hijacked satellite internet connections to steal victims’ data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.
The hackers, believed to work in the service of Russia’s FSB intelligence agency, aren’t known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group.
“They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,” says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.
ESET has tracked Gamaredon as it’s breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. “Their operation is highly effective,” says Robert Lipovsky, a malware researcher at ESEThe adds. “Volume is their big differentiator, and that’s what makes them dangerous.”
If Gamaredon doesn’t behave like other Russian hacking groups, that’s in part because some of them aren’t Russian nationals—or weren’t, technically, until 2014.
According to the Ukrainian government, Gamaredon’s hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine’s Maidan revolution. Some of them previously worked on behalf of Ukraine’s own security services before switching sides when Russia’s Crimean occupation began.
“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy,” reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like “power plants, heat and water supply systems.”
The group’s initial access techniques, ESET’s Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary.
“People sometimes don’t realize how big a part ‘persistence’ plays in the phrase APT,” says John Hultquist, chief analyst for Google’s Threat Intelligence Group. “They’re just relentless. And that itself can be kind of a superpower.”
In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon’s hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having “betrayed their oath” by voluntarily joining the FSB.
For Gamaredon’s former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. “They should have given you a medal,” one team member says to another in the Russian-language conversation. “Screwed one more time.”
