Specialists from CERT-UA, part of Ukraine’s State Service for Special Communications and Information Protection (SSSCIP), have released an analytical report titled “Russian Cyber Operations H2'2024.” The report provides a detailed analysis of cyber threats detected during the second half of 2024, focusing on changes in tactics and priorities of Russian hacker groups.
The report notes a 48% increase in cyber incidents compared to the first half of 2024, with a notable rise in attack complexity and the sensitivity of the targeted systems. Russian hackers are actively using automation, supply chain attacks, and combining espionage with sabotage techniques.
The main focus of the cyberattacks has been intelligence gathering, particularly data that could impact the frontline military situation. Russian cyberattacks have targeted situational awareness systems and specialized defense enterprises.
Several Russian hacker groups, including UAC-0050, have expanded their activities. UAC-0050, previously focused on cyber espionage, has begun stealing financial assets and conducting information-psychological operations under the "Fire Cells Group" banner. They have also deployed malware distribution campaigns through legitimate services like Bitbucket and GitHub and increased phishing attempts targeting a broader range of organizations.
Another group, UAC-0099, continues espionage activities and has targeted government organizations, including forestry and medical institutions, as well as factories. UAC-0020 (Vermin) carried out targeted attacks on military personnel in summer 2024, while UAC-0180 has been focusing on defense enterprises and military personnel using evolving malware tools.
UAC-0185 (UNC4221) has been active since 2022, focusing on stealing credentials from messaging platforms like Signal, Telegram, and WhatsApp, as well as from military systems. Additionally, UAC-0002 (APT44, Sandworm) targeted Ukraine’s "Army+" digital document management system by creating fake versions of its app, distributing malicious installers that provided remote access to victims' computers.
During the second half of 2024, CERT-UA observed the use of exploits for several vulnerabilities across different operations, including: GeoServer (CVE-2024-36401), HFS HTTP File Server (CVE-2024-23692), Adobe Acrobat Reader (CVE-2023-21608), Roundcube (CVE-2023-43770), WinRAR (CVE-2023-38831).
