Russian hackers have shifted tactics in third year of war, Ukraine cyber agency says

Ukraine’s cyber agency has observed “a significant change” in the use of cyberattacks by Russian hackers in recent months, according to a new report.

Whereas in the first two years of the war Russian hacker groups launched opportunistic attacks across an array of targets — for either destructive purposes or cyber-espionage — this year they have shifted their focus to Ukrainian entities directly connected to the war effort.

“Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations,” Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) said in the new report.

The number of cyber incidents analyzed by Ukraine’s computer emergency response team (CERT-UA) in the first half of 2024 grew by almost 20% — to 1,739 — compared to the second half of the previous year.

SSSCIP also observed a significant increase in attacks on government organizations and local authorities. The number of incidents targeting the security and defense sectors, as well as the energy sector, has more than doubled.

With most corporate email servers protected by security measures, hackers are increasingly using messaging apps, including Signal and WhatsApp, to access the devices of high-value military and government targets in Ukraine.

The objectives of these attacks include stealing passwords, gaining access to email accounts and files, conducting espionage, spreading malware through phishing, and financial exploitation. As a lure, hacker groups such as UAC-0184 and UAC-0006 often use malicious documents related to military awards, combat footage, or military recruitment.

To weaken Ukrainian organizations, the hackers also carry out cyberattacks aimed at stealing funds from Ukrainian companies. During one attack, cybercriminals used ransomware to encrypt data on the networks of unnamed businesses, including their backups.

“The only option these companies had to recover their data was to comply with the attackers' demands and purchase the ‘decryptor,’” the agency said.

Ukraine managed to attribute some of the attacks to hacker groups linked to Russia’s military intelligence agency (GRU), as well as the federal security service (FSB). The hacker groups that have not yet been conclusively attributed may be linked to Russia’s National Guard (RosGvardia), Ministry of Internal Affairs (MVD), and the Federal Protective Service (Spetssvyaz), the agency said.

Cyberattacks targeting military personnel and government bodies will likely remain prevalent in the future, they added.

“The capabilities of hackers are continually growing, and we must also continue to improve,” SSSCIP said.