Russian espionage and financial theft campaigns have ramped up, Ukraine cyber agency says

Threat actors are using increasingly sophisticated attack methods to target Ukrainian systems and exploit legitimate services, making it harder to prevent malicious activity, one of Ukraine’s top cyber agencies said on Tuesday.  

Most of the cyberattacks targeting Ukraine over the past year were for espionage, financial theft, or to inflict psychological damage, researchers at Ukraine’s State Service for Special Communications and Information Protection found. The majority of these campaigns were attributed to three Russia-linked hacker groups, tracked as UAC-0010, UAC-0006, and UAC-0050.

Over the past year, the cyber agency’s incident response center identified and addressed 1,042 cybersecurity incidents impacting government, defense, and critical services. Its new report is based on data collected from network monitoring equipment installed on the systems of nearly 90 Ukrainian enterprises.

The vast majority of detected cyberattacks involved the spread of malicious software, intrusion attempts and information gathering. The primary initial vector for the attacks was the use of compromised accounts and the distribution of malware via email, they found.

A hacker group tracked as UAC-0010 — also known by the name Gamaredon — remains the most active state-sponsored threat actor targeting Ukrainian state agencies and defense enterprises. Last year, Ukraine detected 277 cyber incidents attributed to the group.

Gamaredon has been active since at least 2013 and is believed to operate from the Russian-annexed Crimean peninsula. The group is thought to act on orders from Russia’s Federal Security Service (FSB).

Another threat actor, tracked as UAC-0006, was responsible for 174 cyber incidents last year focusing on financial theft. The group is primarily known for using Smokeloader malware in its attacks targeting Ukrainian financial institutions and government organizations.

The third most active threat actor, tracked as UAC-0050, was behind large-scale information campaigns targeting Ukrainian institutions, including one recent campaign involving emails warning of a terrorist attack. According to the report, the group is also involved in cyber espionage and financial theft.

In September, SSSCIP noted “a significant change” in the use of cyberattacks by Russian hackers this year.

“Hackers are no longer just exploiting vulnerabilities wherever they can; they are now targeting areas critical to the success and support of their military operations,” the agency said at the time.

Ukrainian researchers have predicted that despite Russia’s focus on espionage, financial theft, and influence operations, destructive attacks against critical infrastructure, including energy facilities, are likely to continue.