An analysis of cyber incidents in Ukraine from 2022 to 2024 reveals a significant shift in the priorities and tactics of Russian hacking groups. This is detailed in the report "War and Cyber: Three Years of Struggle and Lessons for Global Security," which specialists from the State Service of Special Communications and Information Protection (SSSCIP) developed in conjunction with the analytical center ICE Task Force.

The report uncovers the evolution of the adversary's strategy – moving from massive destructive cyberattacks to a focus on data gathering, intelligence collection, and information-psychological operations.

At the onset of the full-scale invasion in 2022, Russian hackers concentrated on destructive operations, aiming to paralyze Ukraine's critical infrastructure, exfiltrate data, and sow panic. Key targets at the time included the energy and telecommunications sectors, as well as government agencies. Malicious software such as WhisperGate, HermeticWiper, and Industroyer2 were detected. However, due to the swift response of Ukrainian specialists, significant disruptions to the provision of critical services were averted.

In 2023, the adversary's strategy shifted. Instead of broad, destructive attacks, Russian hackers began to focus on covert intelligence gathering and establishing a persistent presence within key systems. The number of sophisticated attacks increased, and new, previously unknown hacking groups emerged. Particular attention was paid to targeting messengers popular among military personnel, with the aim of collecting critical data. Concurrently, there was an uptick in financially motivated cyberattacks.

This trend persisted into 2024. The focus shifted to targets directly involved in military operations and service providers supporting the war effort. While the number of critical incidents decreased, cyberattacks against state organizations and local government bodies significantly surged (accounting for up to 60% of all incidents). This escalation may be linked to attempts at initial access through phishing and the dissemination of malicious software.

The adversary is increasingly employing supply chain attacks, compromising vendors and developers of specialized software to stealthily gain access to critical systems. Phishing campaigns have become even more sophisticated, and hackers are utilizing complex chains of SSH tunnels via Tor to conceal their location.

The most active Russian group monitored by CERT-UA between 2022 and 2024 is UAC-0002 (Sandworm), affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) and highly active in the energy and telecommunications sectors. The UAC-0010 group (Gamaredon, Primitive Bear), associated with FSB's Center 18, is the most prolific, with 829 recorded incidents over the three-year period.

These findings underscore that the cyberwar against Ukraine is constantly evolving, necessitating continuous improvement in defensive methods and active counteraction from Ukrainian specialists.

The full text of the report is available via the provided link.

Source: https://cip.gov.ua/en/news/rosiiski-khakeri-zminyuyut-taktiku-vid-destruktivnikh-atak-do-rozvidki-zvit-derzhspeczv-yazku