Russian hackers adopt new cyberwarfare tactics against Ukraine

The Ukrainian government reports that Russian hackers switched their focus in the first half of 2024 on everything, directly related to the theater of war and supply chain attacks.

As reported by Ukraine’s State Special Communications Service in the analytical report ‘Russian Cyber Operations’ (H1 2024), at the start of the full-scale Russian invasion in 2022, Russian hackers focused on attempts to destroy IT systems in the critical infrastructure sector, as well as obtaining databases and lists.

In addition, they also were actively conducting campaigns against media and commercial organizations. Russian hackers attacked flaws, vulnerabilities, and exploited easy opportunities.

In 2023, their strategy gradually shifted to more covert operations with a goal of acquiring information and using a cyber component to receive feedback on the results of kinetic strikes. The Ukrainian government reports that ”Ukrainian IT showed its resilience and ability to quickly recover from breaches.”

In 2024, Ukraine observes a shift in the focus of Russian hackers to everything that is directly related to the theater of war and supply chain attacks, with the aim of remaining invisible for as long as possible, maintaining a presence in Ukrainian systems that have a connection with war and state activities.

Cyber threats and methods

The document outlines cybersecurity trends and threats observed in the first half of 2024, continuing patterns from late 2023. Cyber espionage attacks primarily used targeted email campaigns to distribute malicious software. Eight significant cyber threat clusters were identified, including groups from Russia, China, and occupied territories.

At the beginning of 2024, the Russian hacker group UAC-0050 was responsible for most malicious email campaigns, with up to five incidents weekly. However, their activity declined by March and ceased by April. Groups UAC-0149 and UAC-0184 then became more prominent, using sophisticated methods to target individuals in the Defense Forces. Attacks from UAC-0010, operated by Russia’s FSB, have been ongoing since 2014.

The document mentions several unattributed hacker groups possibly linked to Russian government entities like RosGvardia, MVD, and the Federal Protective Service. It also notes that UAC-0006, a group involved in stealing funds from Ukrainian companies, disappeared in March 2024 but resurfaced in May.

During UAC-0006’s absence, several ransomware attacks occurred, encrypting data in commercial companies’ networks, including backups. The only recovery option for affected companies was to comply with the attackers’ demands.

Hackers are increasingly targeting messenger accounts to spread malware and phishing campaigns, aiming to compromise high-value targets and exploit messaging histories. This tactic is used for both espionage and financial gain, the document states.

The document highlights the risk of pre-packaged backdoors in pirated software leading to system infections. It acknowledges the importance of international support in providing licensed software and security tools to minimize these risks.

However, it emphasizes that this support alone is insufficient, stressing the critical need for licensed software such as Windows, Office, EDR, MDM, SIEM, and IDM for both Ukrainian military and civilian organizations to avoid vulnerabilities from unlicensed software.

Related:

• Reuters: Russian intelligence hackers targets Kremlin critics worldwide
• Ukraine’s IT Army now aids drone strikes on Russian oil refineries
• Ukrainian intel hackers stop Russian traffic on Kerch Bridge in Crimea
• HUR hackers attack Russian internet providers in occupied Crimea
• Hacker attack averted in Poland amid cyberwar with Russia
• Ukraine intel says its hackers obtained Russian Defense Ministry’s classified documents