Russian hackers, instead of broad, destructive attacks on Ukrainian agencies, began to focus on covert intelligence collection.
Points of attention
- Russian hackers have shifted from destructive attacks to covert intelligence collection in the evolving cyberwar against Ukraine.
- The hacker strategy changed in 2023, with a focus on establishing presence in key systems and collecting intelligence, contributing to an increase in sophisticated cyberattacks.
- The number of financially motivated cyberattacks has risen, with hackers using supply chain attacks and sophisticated phishing campaigns to gain access to critical systems.
Russian hackers are massively collecting intelligence on Ukraine
This is stated in the report "War and Cyber: Three Years of Struggle and Lessons for Global Security", which was prepared by specialists from the State Special Communications Service together with the ICE Task Force analytical center.
The State Special Communications Service emphasized that cyberwarfare against Ukraine is constantly developing, requiring Ukrainian specialists to continuously improve methods of protection and active countermeasures.
In 2024, the focus shifted to facilities related to military operations and service providers that support military efforts. The number of critical incidents decreased, but cyberattacks on government organizations and local governments increased significantly. Up to 60% of all incidents. This may be due to initial access attempts through phishing and the spread of malware.
It is noted that today the enemy is increasingly using supply chain attacks, compromising suppliers and developers of specialized software to silently gain access to critical systems.
Phishing campaigns have become even more sophisticated, and hackers are using complex chains of SSH tunnels through TOR to hide their location. The most active Russian group monitored by CERT-UA in 2022-2024 is UAC-0002 (Sandworm), which belongs to the General Staff of the Russian Armed Forces (GRU) and is active in the energy and telecommunications sectors; The UAC-0010 group (Gamaredon, Primitive Bear), associated with Center 18 of the FSB, is the most active — 829 recorded incidents in three years.
It is noted that at the beginning of the full-scale invasion in 2022, Russian hackers focused on destructive operations, trying to paralyze Ukraine's critical infrastructure, steal data and sow panic. At that time, the main targets were the energy and telecommunications sectors, as well as government institutions. Such malicious programs as WhisperGate, HermeticWiper, Industroyer2 were recorded.
However, thanks to the quick response of Ukrainian specialists, significant disruptions in the provision of critical services were avoided. In 2023, the enemy's strategy changed. Instead of broad, destructive attacks, Russian hackers began to focus on covertly collecting intelligence and establishing a presence in key systems. The number of sophisticated attacks increased, and new, previously unknown hacker groups also appeared. Special attention was paid to attacks on messengers popular with the military, with the aim of collecting critical data.
It is also reported that the number of financially motivated cyberattacks has increased.
The enemy is increasingly using supply chain attacks, compromising vendors and developers of specialized software to gain stealth access to critical systems. Phishing campaigns have become more sophisticated, and hackers are using complex chains of SSH tunnels through TOR to hide their location.
