Ukraine's Critical Infrastructure Hit 3,000 Times Since 2022Hackers Evolve Tactics to Focus on Espionage, Not Destruction, State Agency Says
Cyberattackers have hit Ukraine's critical infrastructure over 3,000 times since the beginning of the Russian invasion in February 2022, according to Ukraine's national incident response team.
The State Service of Special Communications and Information Protection of Ukraine warned that such attacks may continue for years even after the fighting on the ground is over.
Public and local authorities have been highly targeted, and the country's security and defense sector information resources have been attacked at least 367 times, according to the report shared by SSSCIP with Information Security Media Group.
Malware was the preferred means for carrying out the attacks, and the main intent was information gathering, the SSSCIP said.
Change in Tactics
To align with the goals of the Russian military, cyberattackers have changed their tactics against Ukrainian critical infrastructure since the early days of the full-scale invasion. Initially, the attacks were focused on influence operations and the destruction of critical IT infrastructure. Citing the cyberattack on Viasat, the SSSCIP said, "The sole purpose of such attacks was hindering the resistance against military invasion and spreading chaos across the country."
But as the invasion progressed, Russian hackers shifted from destruction to espionage in every sector, especially military and technology organizations, the SSSCIP said (see: Russian Hackers Focused on Espionage, Not System Destruction).
Russian Threat Actors and Their Specializations
Russian hacker groups have specialized in certain types of cyberattacks. About 20% of the cyberattacks are destructive and are mostly carried out by the Sandworm group. "These hackers infiltrate systems and destroy data, infrastructure and services that are vital for the people," the SSSCIP said.
One example is Sandworm's foiled cyberattack on a regional electricity distribution company on April 8, 2022. The attack was successfully prevented thanks to timely assistance from private sector partners Microsoft and Eset (see: Russia-Linked Sandworm Attacks Ukrainian Energy Facility).
InvisiMole, a hacking group associated with Russia's foreign intelligence service, is regarded as the "most dangerous cyber spying group" and focuses on cyberespionage or stealing confidential data, the SSSCIP said.
InvisiMole hackers use pirated software torrents to deliver spyware that can go unnoticed for years. The group primarily focuses on politicians, diplomatic missions and ambassadors, the military, and their production and manufacturing units. Russian special services use the stolen data to plan further attacks on the country through conventional warfare, the SSSCIP said.
Another Russian hacker group that specializes in cyberespionage is Armageddon, which mostly targets security and defense sector organizations. Also tracked as UAC-0010, Gamaredon and Primitive Bear, Armageddon is linked to the Office of the FSB of Russia in the Republic of Crimea and the city of Sevastopol. Operational since 2014, the group consists of regular officers of the FSB and some former law enforcement officers of Ukraine, according to a report by the Security Service of Ukraine.