Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian Hackers Increase Attacks on Ukraine's Energy Sector

Attackers Embrace Dating Sites and Encrypted Messaging Apps for Social Engineering
Russian Hackers Increase Attacks on Ukraine's Energy Sector
Light in one window in apartment building during a rolling blackout in Kyiv after Russian shelling of power plants in a photo taken on June 1, 2024. (Image: Shutterstock)

Russian military and intelligence hacking teams have shifted to online attacks designed to support and help Moscow's military operations succeed, etching the latest turn in a years-long campaign that's oscillated in emphasis from cyberespionage to destruction.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Ukraine's State Service of Special Communications and Information and Protection says Kyiv cyber defenders detected over the first half of this year a doubling of attacks against the security, defense and energy sectors (see: French Cyber Agency Warns of APT28 Hacks Against Think Tanks).

Based on investigations conducted by Ukraine's Computer Emergency Response Team and other SSSCIP cyber divisions, report authors say the overall number of critical incidents compared to the second half of 2023 dropped from 31 to 3, while high severity incidents fell from 156 to 45. In the same time frame, the SSSCIP said, the number of medium severity incidents increased by one-third, from 1,264 to 1,670, accompanied by a spike in targeted attacks against militarily strategic sectors.

Russian hackers this year have pivoted "toward anything directly connected to the theater of war and attacks on service providers - aimed at maintaining a low profile, sustaining a presence in systems related to war and politics," said Yevheniya Nakonechna, head of the State Cyber Protection Center of the SSSCIP. "Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations."

This includes multi-step campaigns that begin with the targeting of Ukrainian troops' personal information - including their names, passport details, place of service and rank. The SSSCIP said hackers are seeking that information to later mount social engineering attacks in bids to gain access to sensitive military systems.

"Once hackers gather enough personal information, they initiate contact with their target, often impersonating someone they know," the SSSCIP said.

In the latter half of 2023 and earlier this year, many Russian hacking teams initiated contact through email. In recent months, the SSSCIP said, they've shifted tactics - perhaps because of improving Ukrainian email defenses - and are bolstering phishing attacks by targeting victims through dating platforms or encrypted messaging apps such as Signal.

"Once trust is established, hackers send a malicious archive with a shortcut, disguised as something relevant to the conversations, such as awards, combat footage or recruitment information," report authors said. "When opened, the archive appears to contain the expected content, but in fact secretly infects the system with malware."

All of those tactics stand in sharp contrast to early 2022 when Russia initiated a war of conquest against Ukraine backed by a barrage of wiper malware in a bid to disrupt critical infrastructure, including government agencies and internet service providers.

Earlier this month, the United States named six officers in the Russian Main Intelligence Directorate, accusing them of deploying wiper malware against Ukrainian government and civilian networks, as part of an alleged conspiracy to hack into and destroy computer systems and data beginning in January 2022.

By mid-2022, Russian hacking teams appeared to have largely exhausted their stockpile of destructive malware. With Russia's military planners having predicted that the "special military operation" would lead to a quick victory, experts said the country's military and intelligence establishment may have been ill-prepared for an extended conflict, and failed to develop a stockpile of wiper malware beyond the approximately 15 strains seen to date.

In 2023, Russia's focus appears to have shifted to hacking in support of cyberespionage and cyber operations to support Moscow's stalled ground offensive. These efforts often aimed to maintain covert, long-term access to sensitive systems for information-gathering purposes, as well as to use "cyber elements to gather feedback on the outcomes of their kinetic strikes," the SSSCIP's Nakonechna said. Other efforts included psychological operations designed to target Ukrainians' morale (see: Russia Continues to Focus on Cyber Operations and Espionage).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.