Threat actors are increasingly exploiting legitimate services in Ukraine to carry out their malicious activities, with attacks mainly attributed to Russia-linked hacker groups, Ukraine's State Service for Special Communications and Information Protection (SSSCIP) reported.
According to the agency's report, most of the cyberattacks targeting Ukraine over the past year were intended for espionage, financial theft, or to inflict psychological damage. The attacks were predominantly carried out by three Russian-affiliated hacker groups: UAC-0010, UAC-0006, and UAC-0050. These groups have been linked to a range of malicious operations, targeting Ukrainian government systems, defense enterprises, and critical infrastructure.
The SSCIP's incident response center reported addressing 1,042 cybersecurity incidents over the past year, with many targeting sensitive sectors such as government, defense, and critical services. The data was gathered through network monitoring equipment installed on the systems of nearly 90 Ukrainian enterprises.
The majority of the cyber incidents involved the use of malware, intrusion attempts, and information gathering. The most common attack vector, according to the report, involved compromised user accounts and the distribution of malicious software via phishing emails.
The most active threat actor identified in the report was UAC-0010, also known as Gamaredon. This group, which has been operating since at least 2013, is considered one of the most persistent and dangerous state-sponsored hacker units targeting Ukraine. Over the past year, Ukraine's cybersecurity teams detected 277 separate cyber incidents linked to Gamaredon, which primarily focuses on espionage and gathering intelligence on Ukrainian state agencies and defense contractors.
Gamaredon is believed to operate from the Russian-annexed Crimean peninsula and is widely thought to act on orders from Russia’s Federal Security Service (FSB). The group's highly targeted campaigns have made it one of the most notorious threat actors in the region.
The second most active hacker group, UAC-0006, was responsible for 174 incidents, with a focus on financial theft. This group is known for utilizing Smokeloader malware, which enables them to infiltrate Ukrainian financial institutions and government organizations. The group’s primary goal appears to be financial gain through data theft and fraud.
UAC-0050 is responsible for a series of large-scale disinformation campaigns targeting Ukrainian institutions. One of the most notable campaigns attributed to this group involved sending emails warning of a terrorist attack, creating unnecessary panic and confusion. In addition to psychological manipulation, UAC-0050 has also been involved in cyber espionage and financial theft.
The report contains recommendations to help organizations protect their systems and data. These include keeping both software and hardware up to date and monitoring potential attack surfaces exposed to the internet; email protection; endpoint protection; asset inventory and network monitoring; multi-factor authentication; logging (full log data enables timely detection and response to cyber incidents and attacks).