Russian hackers turn to AI as old tactics fail, Ukrainian CERT says

Russian hackers are increasingly using artificial intelligence and adopting new tactics in cyberattacks against Ukraine as Kyiv’s defenses grow stronger, Ukrainian government researchers said in a new report.

Since Russia’s invasion in 2022, cyberattacks on Ukraine have continued to rise, surpassing 3,000 cases in the first half of this year — about 20 percent more than the same period last year. At the same time, the number of high-impact incidents has declined as Ukraine’s defenses improve.

That progress has forced Russian hackers to abandon outdated tactics, automate more of their operations and increasingly experiment with AI-generated malware, according to Ukraine’s computer emergency response team, CERT-UA.

In a report released Wednesday, the agency warned that attackers are now using AI not only to write phishing messages but also to generate malicious code itself. Researchers believe AI tools were used to create PowerShell scripts in malware known as Wrecksteel, attributed to the cyberespionage group UAC-0219.

“The use of artificial intelligence in cyberattacks has reached a new level,” CERT-UA said. “We have investigated several viruses showing clear signs of being generated with AI, and attackers will certainly not stop there.”

Read more: Ukraine warns of growing AI use in Russian cyber-espionage operations

Russian hackers are also adapting to faster infrastructure takedowns, researchers said. Improvements in Ukraine’s detection systems and closer cooperation with international cloud providers have pushed attackers toward shorter, more transient campaigns.

Instead of maintaining persistence within networks, hackers increasingly deploy data-stealing tools that grab what they can and disappear — a shift CERT-UA described as the “Steal & Go” model.

As phishing becomes less effective against better-trained Ukrainian users, Russian hackers are increasingly turning to so-called zero-click vulnerabilities — software flaws that allow infections without any user interaction.

CERT-UA noted a surge in the use of such vulnerabilities in early 2025, including renewed exploitation of a known flaw in the open-source email platform Roundcube (CVE-2023-43770). The vulnerability allows attackers to execute malicious code when an email is merely viewed in the inbox — no clicks required.

Moscow also continues to synchronize cyber operations with missile and drone strikes to amplify their disruptive effect, the report said. CERT-UA cited the Sandworm hacking unit, linked to Russia’s military intelligence, as one of the groups coordinating such hybrid attacks.

CERT-UA said that Russia’s evolving tactics and techniques, including new methods of spreading malware, have been partly successful. Still, Ukraine’s defenders said they have managed to keep up, detecting and neutralizing roughly as many infections as they find.

“After more than three years of full-scale war, the enemy has still not achieved the goals of its so-called special military operation,” researchers said. “Every day it increases the number of its attacks — both drones and missiles, and cyberattacks.”