Moscow preferred espionage over destruction in its cyber offensive strategy against Ukraine in the first half of 2024, displaying the evolving nature of Kremlin’s targeted cyberattacks on Kyiv.
The cyber battlefield has shifted in 2024, with Russian hacker groups adopting more covert and long-term strategies. Rather than the large-scale infrastructure attacks seen in previous years, Russian cyber operatives have turned to espionage, focusing on military and critical infrastructure targets to support their ongoing war against Ukraine.
While cyber incidents have risen overall, the number of high and critical severity attacks has dropped. This shift marks a strategic change, moving from broad, destructive cyberattacks to more focused and sustained infiltration efforts aimed at gathering intelligence.
The Numbers Behind the Attacks
A report released on Monday by the Computer Emergency Response Team of Ukraine revealed this shift in focus. H1 2024 saw a total of 1,739 cyber incidents, a 19% increase from the second half of 2023. However, the number of critical incidents dropped by 90%, with only three reported in the first half of 2024 compared to 31 in the latter half of 2023. High-severity incidents also saw a sharp decline, falling by 71%, while medium and low-severity incidents increased by 32% and 75%, respectively.
This data suggests that while the overall frequency of cyberattacks has grown, the attackers’ tactics have shifted towards lower-profile activities designed to avoid detection. These lower-severity incidents often involve malware distribution, espionage, and efforts to maintain access to compromised systems rather than causing immediate, visible damage.
Targeted Espionage and Covert Operations
In 2022 and 2023, Russian hackers focused on disrupting Ukraine’s critical infrastructure, aiming to cripple government agencies, energy providers, and internet service providers (ISPs). However, the swift recovery of Ukraine’s systems meant these attacks did not achieve their intended long-term goals. The 2024 shift towards espionage reflects a more calculated approach.
Groups like UAC-0184 and UAC-0020 aka Vermin hacker group, both linked to Russian intelligence services, have been particularly active this year. These groups specialize in cyber espionage, using phishing campaigns and malicious software to gain access to sensitive systems.
UAC-0184, for example, has targeted members of Ukraine’s Defense Forces through messaging apps like Signal, impersonating trusted contacts to distribute malware. Once the malware is deployed, the hackers can monitor communications, steal data, and maintain long-term control over the compromised systems.
This pivot from overt attacks to espionage also marks a new phase in Russia’s cyber strategy. Rather than causing immediate disruption, the focus now lies in gathering intelligence to support military operations. CERT-UA’s report highlights how hackers are using cyber operations to collect feedback on kinetic military strikes, such as missile attacks.
Critical Infrastructure Still in Focus
Though espionage has taken center stage, attacks on critical infrastructure continue. The report notes that attacks on Ukraine’s energy sector have more than doubled since the latter half of 2023, with hackers increasingly targeting industrial control systems (ICS) used by power, heat, and water supply facilities.
The UAC-0002 group, which has ties to Russian law enforcement in occupied Luhansk, executed a significant supply chain attack in March 2024. The hackers exploited vulnerabilities in software used by at least 20 energy companies, gaining access to ICS and using it for lateral movement within the networks.
This kind of supply chain attack allows hackers to breach multiple organizations simultaneously by targeting a common service provider. In the March incident, UAC-0002 targeted three supply chains, infecting multiple energy companies with malware and backdoors. The attackers used specialized software, such as LOADGRIP and BIASBOAT, to gain access to critical systems and escalate their attacks, possibly to complement physical strikes on Ukrainian infrastructure.
Messenger Account Theft: New Entrant in Cyber Offensive Strategy
Another notable trend in 2024 is the increasing focus on messenger account theft. Platforms like WhatsApp and Telegram, widely used by Ukrainian citizens, have become prime targets for Russian hackers.
The UAC-0195 group, for instance, used phishing campaigns to compromise thousands of messenger accounts. These compromised accounts are then used for a range of malicious activities, including spreading malware, conducting espionage, and committing financial fraud.
In one instance, hackers posed as organizers of a petition to honor a fallen Ukrainian soldier. They directed victims to a fake website mimicking the President of Ukraine’s official page, where users were asked to authenticate via WhatsApp. This phishing tactic allowed hackers to add their devices to victims’ WhatsApp accounts, gaining access to personal messages, files, and contacts.
This tactic extended to Telegram, where hackers used a similar method to lure users into “voting” in an art competition, once again gaining unauthorized access to accounts. With this access, hackers can impersonate the account holder, spread further phishing links, and even steal sensitive information from high-value targets.
The latest findings were revealed just days after Ukraine banned the use of Telegram messenger app on any of the government, military or critical infrastructure-linked devices. This decisive move follows growing concerns over its vulnerability to cyber espionage. The NCSCC’s meeting on September 19 highlighted how the widely used app has transformed from a tool for free speech into a weapon of war.
Phishing Campaigns and Malware Distribution
Phishing remains a key tool for Russian hackers. In early 2024, UAC-0006, a financially motivated group, continued its phishing campaigns targeting employees in financial departments. These campaigns often used polyglot archives—files that appear differently depending on the software used to open them—to deliver malware like SmokeLoader.
Once deployed, SmokeLoader allows attackers to install additional malware, such as TALESHOT, which captures screenshots when a banking application is open. This malware enables hackers to gain a deeper understanding of the victim’s activities and access critical financial data. In some cases, hackers even edited or created fraudulent invoices to steal funds from targeted organizations.
The UAC-0006 group briefly paused operations in March 2024, but returned in May with renewed efforts, registering new domains to continue phishing attacks and regain control over previously compromised systems.
Ukraine’s Cyber Resilience: A Battle on Two Fronts
Despite the rising number of cyberattacks, Ukraine’s cyber defenses have shown remarkable resilience. CERT-UA, in collaboration with the State Service for Special Communications and Information Protection (SSSCIP), has made significant strides in defending against these threats. Their efforts have resulted in a sharp decline in high-severity incidents, even as overall attack numbers rise.
The report credits improved visibility and collaboration with international partners for this success. Enhanced detection capabilities, coupled with better awareness among organizations, have allowed Ukraine to respond more quickly to emerging threats. This collaboration includes sharing cyber threat intelligence with CERT-UA’s partners, which has helped identify and mitigate numerous attacks.
However, the report also warns that the capabilities of Russian hackers continue to grow as the war drags on. The increasing sophistication of supply chain attacks and the persistent threat of phishing campaigns mean that Ukraine’s cyber defense strategies will be tested time and again.
