Ukraine sees shift in Russian hacking tactics: more widespread, less severe


After failing to induce the desired panic among civilians or achieve a battlefield impact, Russian threat actors in Ukraine have pivoted to targeting any systems related to war and politics and maintaining a low profile.

Ukraine reported 85% fewer critical and high-severity cybersecurity incidents during the first half of 2024 compared to the previous period. However, the number of total incidents increased by 19% from the second half of 2023.

According to a report by the State Service of Special Communications and Information Protection (SSSCIP) in Ukraine, the number of investigated cyber incidents targeting the security, defense, and energy sectors more than doubled.

ADVERTISEMENT

This marks a pivot in Russian threat actors’ tactics. In 2022, when Russia launched its invasion of Ukraine, they focused on damaging critical IT infrastructure, exfiltrating databases, and targeting media and commercial organizations with evident vulnerabilities.

When this failed to produce the intended long-term effects, in 2023, the strategy shifted to targeting internet service providers, ministries, and governmental bodies. Yet again, Ukraine managed to recover rapidly from breaches.

In 2024, Ukraine has observed yet another pivot. Russian hackers now focus “towards anything directly connected to the theater of war and attacks on service providers.” They try to sustain low-profile persistence in systems related to war and politics.

“Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations,” said Yevheniya Nakonechna, Head of the State Cyber Protection Centre of the SSSCIP.

Only three incidents were labeled as “critical " in the first half of 2024, compared to 31 incidents in the second half of last year, and 27 incidents in H1 2023. Most of the incidents were registered as medium severity (1670), with this category increasing by 32%.

The number of attacks targeting the security and defense sector increased by more than twofold, from 111 in H2 2023, to 276 in H1 2024. Ukraine observed activity from eight cyber threat clusters, some of which may be linked to RosGvardia, the Russian Ministry of Internal Affairs, General Staff, and Special Communications Service.

Ukraine has observed a 90% increase in malware infection incidents, of which a significant portion are distributed through pirated software.

“Hackers are increasingly targeting messenger accounts to facilitate the spread of malware and phishing campaigns, aiming to compromise as many users as possible. Among the victim’s contacts, there may be “high-value” targets whose messaging history is of particular interest to various intelligence agencies of the aggressor nation.”

ADVERTISEMENT

Account compromise attacks are also exploited for financial gains. Russia launched mass campaigns to steal accounts on messaging apps like WhatsApp and Telegram.

In March 2024, a threat actor labeled UAC-0002 (Sandworm) launched a sophisticated supply chain attack targeting nearly 20 Ukrainian energy infrastructure entities. Hackers managed to compromise a shared service provider and targeted at least three supply chains simultaneously, likely to amplify the impact of Russian missile strikes on Ukraine’s infrastructure. The attack impacted energy, heating, and water facilities in ten regions of the country.

SSSCIP warns that the capabilities of hackers are continually growing.

“The war persists, and cyberspace remains a battlefield in its own right. The enemy is determined to gather intelligence by any means necessary, leading us to believe that cyberattacks targeting military personnel and government bodies will remain prevalent,” the report concludes.

“Phishing and malware infections are the primary tools of cyber espionage, with human behavior being the weakest link.”