More than two dozen Russia-linked hacker groups targeted Ukraine in 2023, with the most activity coming from the Gamaredon and Sandworm APTs as well as various “hacktivist” collectives that, in reality, are just a front for state-controlled criminals, according to a new analytical report on Russia’s cyber tactics published by the State Service for Special Communications and Information Protection of Ukraine (SSSCIP).

While the energy and media sectors remain among the major targets of the Russian hackers, in the first half of 2023 the threat actors have been observed switching focus to law enforcement agencies in order to collect information on what evidence on Russian war crimes Ukrainian law enforcement teams have obtained, collected and submitted materials for trials and prosecution, arrest warrants for suspected agents, etc.

There was also an increase in attacks against the private sector with the goal of monitoring the outcomes of Russia’s kinetic operations, including missile and drone attacks.

Overall, Ukraine saw a rise of 123% in security incidents in the first half of 2023, however, the number of critical incidents and high-severity incidents decreased by 81% and 46% respectively.

“The attackers appear to be using less sophisticated tactics, employing a “spray and pray” approach, while Ukraine's defense of its infrastructure has markedly improved compared to six months ago,” the SSSCIP noted.

The experts have also observed a notable “revisiting” trend where Russian hackers strike known victims who handle and maintain the critical data needed by the Russian military.

“Having prior knowledge of a victim organization's network infrastructure, defensive measures, key personnel, and communication patterns provides returning attackers with a substantial advantage when it comes to exploiting organizations that have been compromised in the past,” the report noted.

To carry out malicious activity attackers use a variety of methods, including built-in system features, external tools, as well as legitimate software, such as WinRar, sdelete, and various other Windows utilities. Threat actors also actively develop and distribute exploits for known vulnerabilities in open-source email systems such as Zimbra and Roundcube.

The most active Russian APTs in 2023 include FSB-linked UAC-0010 (Gamaredon), UAC-0056 (linked to the Main Directorate of the General Staff of the Russian Federation aka GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144/UAC-0024/UAC-0003 (Turla), UAC-0029 (APT29, linked to Russia’s foreign intelligence service), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), UAC-0107 (CyberArmyofRussia).

According to the report, the number of Gamaredon’s operations significantly increased (in the first half of 2023 the experts observed 103 attacks by the group compared to a total of 128 attacks recorded last year), although not all of them were successful.

The threat actor demonstrated explicit interest in all the law enforcement directions (54.1% of their cases), also expressing persistent interest in all organizations related to the Ukrainian Defense Forces. The group has a huge human resource and uses primitive methods that, however, are quite effective.

“This substantial growth in the volume of cyber operations, accompanied by shifts in focus and tactics compared to previous periods, can be attributed to several factors. These include an expansion in manpower and team capacity, the infusion of new talent from Russia's abundant pool of skilled individuals, and the mobilization of IT professionals from the private sector to serve in the military,” the report said.

As for the intrusion methods employed by Russian hackers in the first half of 2023, phishing remains the most prevalent tactic, followed by malware infections involving command-and-control (C2) connections, DoS/DDoS attacks, and breaches through known vulnerabilities or account compromises.

“During the war, there takes place an obvious "merging" between criminal hacker groups and the aggressor state. There are numerous cases of using a toolset of Trickbot/Conti hacker groups for performing attacks toward objects of critical infrastructure, in particular energy infrastructure,” the report said, citing as an example the activity of the Tropical Scorpius group utilizing a RomCom backdoor during their attacks.

The Sandworm APT was responsible for the majority of destructive attacks against Ukrainian entities, the SSSCIP said. In August, Ukraine’s security services foiled Sandworm's attempt to compromise the combat data exchange system of the Armed Forces of Ukraine using the Infamous Chisel malware.

To make the attacks public threat actors often leak stolen files and technical documentation on Telegram channels controlled by so-called “independent volunteers” such as CyberArmyofRussia_Reborn.

The list of the most active pro-Russian “hacktivist” groups includes Killnet, NoName057(16), XakNet Team, Anonymous Russia, and Cyber Army of Russia. These groups appear to collaborate, targeting the same or similar targets and reposting each other’s content on social media platforms, although their claims rarely describe the nature of the supposed cyberattack.