Russian hackers increase number of cyberattacks on Ukraine and change tactics

Russian hackers have changed their tactics for cyberattacks on Ukraine, with the number of attacks increasing compared to last year. Most commonly, they target Ukrainians through Telegram and WhatsApp messengers.

This was stated by Yevheniia Nakonechna, head of the State Cyber Defence Centre of the State Special Communications Service, on Hromadske Radio.

According to Nakonechna, Ukraine recorded 20% more cyberattacks in the first half of 2024 compared to the same period last year. However, the number of attacks aimed at disabling infrastructure facilities decreased by 85%.

«These figures are based purely on the information we have, specifically the data on cyberattacks that we have directly investigated», — Nakonechna stated.

Nakonechna also noted that more organisations are reaching out to improve their cybersecurity. They are no longer afraid to admit they have been attacked. As a result, the amount of data the institution receives has increased.

She added that Russian hackers primarily target government agencies, local authorities, the security and defence sectors, and the energy sector.

«However, this doesn’t mean others are safe from attacks. Anyone can be a target—whether it’s a small village council or a large ministry with extensive infrastructure, even individuals», — she said.

War and Cyberattacks: A Changing Focus

Discussing cyberattacks since the beginning of the war, Nakonechna highlighted that while the intensity of attacks continues to rise, the attackers’ focus shifts annually. She recalled that in early 2022, Russian hackers concentrated on destructive cyber operations against critical infrastructure and attempted to steal databases. They also targeted logistics and ran media campaigns to spread panic among civilians. However, these attacks didn’t have the desired effect, as Ukrainian IT systems quickly recovered.

«In 2023, the strategy gradually evolved. Hackers began embedding themselves more deeply into networks to covertly spy and gather as much information as possible. For example, they were interested in assessing the impact of missile strikes. This year, we’ve noticed a shift towards cyber espionage related to the theatre of war. Hackers are targeting service providers and trying to remain undetected in organisations connected to the defence sector or critical infrastructure», — Nakonechna explained.

She also mentioned that Russian hackers from occupied Crimea, working with the FSB, specialise in sending malware via email. Other groups employ more sophisticated methods, targeting representatives of the security and defence sectors. Additionally, there are groups that launch attacks from occupied Luhansk.

“Here, malware is delivered via messengers. Phishing remains a constant threat, where hackers send emails containing a file or a link that leads to a fake login page resembling an email or application login screen,” she explained.

Hijacking Telegram Accounts: How Hackers Operate

Nakonechna also described a scheme where hackers hijack Telegram accounts by asking users to participate in a vote or contest. In this scenario, users are prompted to log in using Telegram, which results in a third-party device being added to their account. At some point, the hackers terminate the user’s session, causing the user to lose access to their account while the hackers gain full control. From there, the hackers can exploit the account to hack others or demand money from the original user.

«This is exactly what phishing looks like, and any user can become a victim», — she emphasised.

Regarding Signal messenger, often considered one of the most secure platforms, Nakonechna noted that hackers commonly use it to send viruses. Hackers can steal data from Signal if the messenger is installed on an infected computer.

Nakonechna concluded that Russian hackers, often affiliated with military organisations, carry out the majority of cyberattacks on Ukraine. However, commercial hacker groups are also involved.

As a reminder, in August 2024, Monobank experienced a large-scale cyberattack. The attack lasted three days and aimed to paralyse its services, although it did not pose a threat to customers’ money.