Posted On


Groups related to Russia's FSB, military intelligence, foreign intelligence service perform cyber attacks against Ukraine in 2022 – Ukraine's service of special communication

KYIV. March 9 (Interfax-Ukraine) – Groups associated with the Russian Federal Security Service (FSB), military intelligence and the Foreign Intelligence Service (SVR) performed hacker attacks against Ukraine, aimed at cyber espionage and data theft, the CERT-UA government’s computer emergency response team said in the report on Russian cyber tactics against Ukraine in 2022 published on the website of the State Service of Special Communication and Information Protection of Ukraine.

CERT-UA specialists came to the appropriate conclusions after manually processing 2,194 cyber incidents in 2022, of which 1,148 critical and high-level incidents, according to the document.

According to the report, the Gamaredon group associated with the FSB remained the most active group based on the incidents registered in H2 2022. In the second half of the year alone, 74 Gamaredon-associated cases were registered in total. The main purpose of their activity is cyber espionage. But CERT-UA investigates cases when, after the network was infected by Gamaredon malware, lateral movement within the network began with TTPs belonging to other russia-related threat actors. The major targets include the key governmental organizations, state-owned enterprises, the security and defense sector, according to the report.

CERT-UA specialists said that their primary method is spreading malware with the help of phishing emails. Their phishing emails are always well-crafted. They use topics that relate directly to the competence of the affected organizations. Another factor of Gamaredon’s success is that they actively use email accounts compromised as a result of successful cyber attacks. They actively utilize the Crimean telecom/hosting provider CrymCom.

The military intelligence unit Sandworm (UAC-0082) were also active in cyber attacks against Ukraine. In H2 CERT-UA analyzed 14 incidents, which with a high level of confidence refer to Sandworm. They specialize primarily in cyber espionage & destructive activity. Their targets are critical infrastructure organizations such as energy facilities and logistics companies, but also popular media and critical public resources, the State Service of Special Communication said.

According to the report, the Belarusian group GhostWriter is a state-sponsored cyber espionage actor that is engaged in credential harvesting and malware campaigns. Despite recorded activity during Q1 and Q2 (four cases), no attributed activity was registered in Q3 or Q4.

“The summertime decrease in cases could be explained by an increased engagement of malicious actors in the active search of new targets/opportunities… Possibly prompted by an internal reprioritization and alignment with top russian military command forces. Another explanation could be the impact of vacations, which would support the assumption of attackers being mostly “hackers in uniform,” CERT-UA said in the report.

According to the report, an outbreak of high and critical cyber attacks against Ukraine was recorded at the beginning and end of 2022.

The main target of Russian cybercriminals remained civilian infrastructure, but the priorities of the hackers during the full-scale invasion changed in accordance with military needs.

During the second half of 2022, the experts recorded a shift in the focus of russian hackers from the media and telecommunications industries, which were among the main targets at the beginning of the war, to the energy system, which also turned into one of the principal targets of russia’s missile attacks since October last year. Moreover, the purposes of russian hackers have changed as well, from a large quantity of attacks aimed at disruption to spying and data theft.

“In H2 2022, the FSB/GRU/SVR demonstrated their distinct eagerness for Intelligence collection. The most heavily attacked sector in terms of cyberespionage and aggressive operations from adversaries remains Ukraine’s civilian infrastructure, including government institutions and critical infrastructure (energy companies, commercial organizations, logistics companies, the Ministry of Energy, the Ministry of Finance, the Ministry of Foreign Affairs, etc.). Defense organizations are also targeted, including the Ministry of Defense, the State Border Guard Service etc.,” the experts said in the report.

Enemy cyber attacks targeted various sectors, including 556 attacks on the government sector, 113 on the military, 43 on the telecom and IT sectors, 19 on the transport sector, 29 each on the media and energy sectors, and 12 on the banking sector.

Spear phishing remains one of the dominant and still effective techniques, but Russian hacker groups have also begun to focus on exploiting technical vulnerabilities in organizations. Malicious code/malware infections were used. Stealers play an important role in gaining access to internal networks via VPN without 2FA. Account compromise via malware infections or CobaltStrike implants brought through exploited vulnerabilities remains an active exploitation/persistence.

Malicious actors actively exploit email services and trust between recipients for malware distribution.

In incidents in the second half of 2022, 157 cases were cases using detected vulnerabilities, 151 were phishing, and 141 were malware distribution cases.