From a black approach: hackers have quadrupled their attacks on Russia

In 2024, hackers attacked Russian infrastructure four times more often than a year earlier, cybersecurity companies reported. Their goal was not only the official websites of companies, but also corporate portals for employees, test pages and web applications. In addition, scanners turned out to be among the popular attack methods, that is, attempts to automatically search for vulnerabilities in web applications and bot activity. Styler programs are also being used more and more actively, with which they are trying to infect the maximum number of computers of Russian users. About what other tricks the attackers used, see the Izvestia article.

How hackers attacked the country

Hackers in 2024 were four times more likely than in 2023 to attack the web resources of Russian companies, cybersecurity companies told Izvestia. Last year, the average number of web attacks on Russian domains increased from 15 million to 65 million events per month, according to the data from the analytical report of the WAF service of the Solar group of companies, which was reviewed by Izvestia.

Experts analyzed the statistics of web attacks on online resources of various industries, including the public sector, IT, mail services, retail, banks, industry, telecom and others. According to their findings, hackers have become more likely to attack not only the main websites of companies, but also corporate portals for employees with Internet access, test sites, as well as various web applications.

"The average share of information security events recorded on API (a software interface for exchanging information between services, web applications, and software), OWA (a web client for Microsoft Outlook mail client), Jira (a project management service), and Confluence (an online document collaboration system) increased in 2024 more than doubled — up to 7%," the report says.

And the number of attacks on the API of Russian companies as a whole increased more than fourfold in 2024, from 9 million to 39 million. The main spikes occurred in March and August. The power of the largest web attack was 1.5 million requests per second, which is five times more than in 2023.

One of the main trends of the past year was a significant increase in the share of events related to scanners — attempts at automated vulnerability detection in web applications and bot activity, Solar noted. Thus, the share of scanners increased from 26% to 51% on average. At the same time, this figure was 77% in December, with a particular surge in the retail industry. According to experts, the growth means that hackers have been able to launch attacks using automated scanners, which can lead to the suspension of online resources and data leakage.

The top most attacked industries are postal services, cargo and passenger transportation and retail. According to Ashot Oganesyan, founder of the DLBI darknet leak intelligence and monitoring service, companies from the e-commerce sector were most often attacked, which is due to their wide presence on the Network, but with minimal investment in information security.

And the analytical center of StormWall has established that the telecommunications industry has become the main target of intruders in Russia in 2024. The share of attacks on the telecom sector was 31% of the total. For comparison, in 2023, attacks on this industry accounted for only 14%. Politically motivated "hacktivists" who sought to harm Russian business took part in organizing mass attacks on telecom companies.

The public sector was also among the most important targets of hackers last year (17% of the total number of attacks). Mass attacks on this area were launched by "hacktivists" against the background of a difficult geopolitical situation. The attackers actively attacked the public sector, as the attacks on this industry were quite successful, the analysts noted. By the end of 2024, the effectiveness of attacks on state-owned companies was 42%.

According to Kaspersky DDoS Protection, in Russia, financial organizations, the public sector, telecom operators, and retail are becoming the most attacked industries. In 2024, the total number of DDoS incidents in the country increased by 37%.

So, in June 2024, the Verny retailer was subjected to a hacker attack, as a result of which for several days almost 1,000 stores of the chain did not accept payments by bank cards. Online orders were also unavailable because the website and application were not working. Then, as a result of a hacker attack on the National Payment Card System (NSPK), for several hours on June 20, 2024, some of the online card payments and transfers through the SBP did not take place or failed the first time.

And in September 2024, hackers attacked the websites of the Foundation Management Center, which issues electronic signatures in more than 60 regions of Russia. As a result of the cyberattack, the process of issuing electronic signatures was stopped. A month later, the state-owned GAS Justice service and the official website of the Federal Arbitration Courts of the Russian Federation were attacked by pro-Ukrainian hackers.

However, Ashot Oganesyan did not confirm the sharp increase in attacks on Russian resources.

— According to our estimates, the number of hacking attempts is generally at the level of 2023, he noted. — The appearance of this kind of trend may be rather a consequence of the increased control of Russian companies over their infrastructure, as a result of which they discovered attacks that they simply had not noticed before.

What schemes did the criminals use

In the behavior of hackers, one can distinguish a gradual departure from the widespread use of vulnerabilities in favor of password reuse attacks, Ashot Oganesyan said. To do this, they not only collect all possible password leaks, but also increasingly use styler programs that try to infect the maximum number of computers of Russian users.

The past year has shown that hackers intend to cause maximum harm to users who access various Internet services on a daily basis, as well as reputational damage to companies and deprive businesses of profits," said Alexey Pashkov, head of WAF Solar.

— We assume that this trend may continue in 2025," he said.

Downtime can lead to serious business consequences, analysts at Monk Digital Lab noted. Among the main consequences of failures, 65% of organizations noted a loss of consumer trust, 57% reported damage to brand reputation, and about 60% of companies recorded direct financial losses. In monetary terms, one significant downtime incident cost Russian organizations an average of 2 million rubles.

The main reason for the increase in failures is still the use of outdated hardware and software without proper support and updates, experts noted. The withdrawal of foreign vendors from the Russian market has left Russian companies without regular updates and technical assistance, and attempts to replace foreign products with self-written tools or untested systems have created many new problems.

As a rule, hacker attacks are aimed at certain sectors and significant objects — critical infrastructure, large companies and enterprises, and in most cases involve malicious software, recalled a data analyst at the Coordination Center for domains .RU/.Russian Federation Evgeny Pankov.

— Quite often, VPO and phishing become part of a single fraudulent scheme: phishing allows access to credentials, and then compromised systems are infected with malware, which leads to large-scale leaks or controlled cyber attacks. But the number of phishing requests in Russian domain zones decreased by 5.3% by the end of the year," he noted.

Nevertheless, every hacking of corporate systems can cause serious damage, so companies should not only strengthen technical protection measures, but also increase the cyber literacy of employees, especially those with extended access rights: system administrators and IT specialists.

— In addition to standard measures such as timely software updates, installation of antivirus tools and network perimeter monitoring, it is important today to pay attention to password leaks of customers and employees of the company, through which hackers can get into the corporate infrastructure," Ashot Oganesyan emphasized. — For this purpose, there are specialized services that allow you to automatically identify compromised accounts.

According to Kaspersky DDoS Protection expert Vyacheslav Kirillov, in order to ensure protection, companies need, first of all, to audit services in the perimeter of the organization and regularly scan the infrastructure.

— In addition, it is important to determine which services require DDoS protection: trends show that an attack on the test circuit can affect the availability of the entire organization, he explained. — However, at the moment, many enterprises protect the main services, not always paying attention to the test ones. After determining the list of services for protection against DDoS attacks, you should contact the provider in order to use it to build effective work in terms of information security.

It is equally important to optimize processes within the organization so that cybersecurity specialists and the IT department interact effectively with each other and with the client. Finally, companies should conduct annual test attacks to monitor the quality of the implemented solution and the effectiveness of the teams, he noted.