Ukraine records increase in financially motivated attacks by Russian hackers

Ukraine’s government is reporting an increase in financially motivated cyberattacks conducted by previously unidentified hackers associated with Russia. 

According to a recent report, these groups have grown more active in Ukrainian networks in the latter half of 2023, causing a shift in the ongoing cyberwar previously dominated by well-known Kremlin-supported hacker groups like Sandworm and Armageddon.

“The emergence of new actors suggests a deliberate strategy by Russia to diversify its cyberwarfare arsenal,” said Yevheniia Volivnyk, chief of Ukraine’s computer emergency response team (CERT-UA). “These groups may possess unique skill sets or specialize in specific operational objectives.”

The operations’ origins and participants are still unclear, according to Volivnyk, but previous experience and victimology suggest that they are also affiliated with the Russian “military machine” or are informally funded and coordinated by the Russian state command center.

Ukrainian cyber researchers said that these new groups distinguished themselves by using well-thought-out phishing attacks. The main goal is to distribute malicious remote-access software, such as RemcosRAT and RemoteUtilities, or data theft programs, including LummaStealer and MeduzaStealer.

During the period that CERT-UA analyzed, nearly 40 percent of reported incidents were related to financial theft. 

For example, from August to September, the group tracked as UAC-0006 attempted to steal tens of millions of hryvnias ($1 = about 40 Ukrainian hryvnias) from Ukrainian financial institutions and government organizations. This threat actor, mostly known for using Smokeloader malware in its attacks, is responsible for nearly 200 incidents targeting Ukraine in the second half of 2023, according to CERT-UA.

Better targeting 

The CERT-UA report covers all Russia-linked cyber activity for the second half of 2023. Overall, the number of incidents against Ukraine has been growing steadily over the past two years, and hackers are getting better at targeting, according to the agency.

They exploit the latest vulnerabilities and align their attacks with trending events and news to “increase the attention and potential complacency of targets.”

For example, at the start of the war in Israel, the hackers sent malicious emails disguised as job offers, specifically targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF).

In one of the operations, Russia’s military intelligence hackers created a malicious mobile app, Delta, mimicking Ukraine’s official app with the same name used by the military to collect data from the battlefield. Russian hackers released this app even before Ukraine launched its official version, indicating that Moscow knew about it in advance.

For better targeting, Russia also increased its attacks on mobile devices, usually delivering info-stealing malware to their victims through messaging apps like Signal or Telegram.

According to CERT-UA’s previous report, the group tracked as UAC-0184 deployed a variety of custom and open-source malware, including HijackLoader and Remcos, to steal data from the phones of the Ukrainian armed forces.

Targeted cyberespionage operations are becoming increasingly important for Russian hackers, as the stolen data could help them gain an advantage on the battlefield, researchers said.

Focusing on telecom

Ukraine’s critical infrastructure, including the telecommunications industry, remains the highest-priority target for Russian hackers, and this trend will likely continue, CERT-UA said.

Many of the Russian operations against Ukraine’s critical infrastructure are described as “hybrid.” For example, the attack on Kyivstar, Ukraine’s largest mobile operator serving 25 million subscribers, coincided with massive missile strikes on Ukraine.

The Kyivstar hack in December left millions of people without cell and internet service. The attack also affected the air raid alert system that notifies residents of Russian missile strikes in the Kyiv region.

As kinetic strikes on Ukraine’s critical infrastructure increase, there will likely be a corresponding rise in malicious cyber activity, researchers said. The goal of such attacks would not be destruction but intelligence gathering, helping to assess the damage caused by the strikes, researchers said.

Ukraine itself is also actively targeting Russian telecom infrastructure. The country’s military intelligence announced on Friday that it carried out a large-scale cyberattack reportedly targeting internet providers and mobile operators in the Russian republic of Tatarstan.

One of Tatarstan’s largest telecommunications operators, Tattelecom, said that it was the most powerful cyberattack on its networks in the history of the company.