Key Decoupling: Hackers have intensified password-matching attacks

The number of hacker attacks involving password selection has almost tripled since the beginning of 2025, Izvestia found out. Hackers have become more careful in choosing victims and attacking them more actively, both for the purpose of espionage and blackmail, and for committing destructive actions against businesses and government agencies, cybersecurity companies said. Criminals from the USA, China, Russia and India were most often attacked. About what other attack schemes were used, see the Izvestia article.

How passwords are selected

Since the beginning of 2025, the number of attacks using password searches to gain access to IT systems of Russian organizations has increased 2.7 times compared to the fourth quarter of 2024, according to data from a network of sensors and honeypots (traps. — Ed.) the architect of the integrated security of the Solar Group of Companies (Izvestia has it).

Most often, the traps recorded bruteforce attacks (a method of selecting passwords or encryption keys) — they accounted for 94% of all events. Experts explain this trend by hackers' desire to quickly obtain logins and passwords from Russian companies' IT infrastructures available on the network in order to then carry out more complex attacks.

Photo: IZVESTIA/Sergey Konkov

The remaining 4% accounted for Path Traversal attacks, which are attempts to exploit vulnerabilities to illegally gain access to website files and directories, while 1% each accounted for CVE (exploiting vulnerabilities) and Upload (delivering malicious load to the attacked server).

The increase in the number of such attacks was also confirmed by Sergey Polunin, head of the Gazinformservice IT infrastructure Solutions protection group.

— There are several unrelated explanations. On the one hand, such attacks are getting cheaper," the expert explained. — On the other hand, multiple leaks provide material for such attacks, and on the third, some kind of seasonality can be identified.

Viktor Ievlev, Head of the Information Security Department of the Garda Group of Companies, noted that password selection is one of the most common hacking activities.

Photo: IZVESTIA/Anna Selina

— Such attacks are possible in case of leakage of account name data, — the expert emphasized.

The Mafia is waking up: why hackers are switching to nighttime cyber attacks

Cybercriminals expect to remain unnoticed after midnight

The opening of any network port in the company's IT infrastructure makes it a potential target for automated and targeted attacks, said Roman Alabin, head of the InfoWatch Information Security Group.

"Using the Geoip blocking system, our specialists record more than 100,000 connection attempts per day to one open port," he said. — Attempts to connect are recorded from different countries, but most often it is Romania, the USA and Germany.

Photo: Global Look Press/Annette Riedl

However, most of the attacks came from the IP addresses of the USA (23%), China (16%), Russia (7%) and India (5%), experts noted.

"These countries have the largest hosting and botnets, so such popularity is not surprising," added Sergey Polunin. — But the geography of the IP addresses from which the attacks are coming does not reflect the location of the attackers themselves, who, as a rule, only use the computer power of these countries, and can be anywhere.

What schemes do hackers use?

Since the beginning of the year, the number of attacked organizations has decreased by 34%, but the average number of attacks per company has increased 3.3 times. Solar 4RAYS experts explain this dynamic by a change in attackers' tactics from quantity to "quality" — now they carefully select potential victims and attack them more strongly.

Analysis of sensor data suggests that the greatest threat to Russian organizations at the beginning of the year was posed by stylers (data theft programs), and the share of APT groups (hacker groups) increased to 27%. Another 18% borrowed funds to gain unauthorized remote access to IT systems. The rest were botnets (10%), ransomware (3%), mining (3%), phishing (1%), and downloader programs (3%) that deliver malware to the victim's infrastructure.

In some industries, the proportion of infections with ransomware programs that encrypt infrastructure and demand a ransom for the return of data has increased. In particular, the two- to three-fold growth is observed in industry, education, credit and financial institutions, and the fuel and energy sector.

Photo: IZVESTIA/Sergey Konkov

In addition to password selection, phishing and social engineering remain in the top list of attack methods, added Elena Shamshina, head of the Threat Intelligence department at F6.

"There are also all kinds of attacks on supply chains, exploiting web application vulnerabilities, and the same leaked accounts that are being targeted," said Sergey Polunin. — There are a lot of examples, literally every month or two you can find some pretty notable case. In March of this year, Roskomnadzor reported on the identification of 19 cases of personal data leakage, which is about 24 million records. This gives an idea of the scale of what is happening.

The Anxiety Window: hackers have become more likely to exploit application vulnerabilities

Retail, logistics and telecom were under attack.

Cybercriminals often monitor IT systems for vulnerabilities that can be used to remotely execute code and inject malware to gain access to the system, Roman Alabin noted.

—DDoS attacks are also often used to stop services, when huge amounts of traffic are sent to the server or network in order to overload them and make them inaccessible to users," he said.

Hackers also actively compromise business correspondence, attack through web application vulnerabilities and third-party libraries, said Kirill Levkin, MD Audit project manager (Softline Group).

Photo: RIA Novosti/Natalia Seliverstova

"In recent months, there has been a noticeable increase in attacks using legitimate software (Living off the Land), when attackers act unnoticed inside the network using standard utilities," he explained. — For example, in a number of attacks on regional retail chains and IT companies, a scheme was used: phishing, infection through macros in documents, pinning via PowerShell and connecting to an external C2 server.

Currently, three vectors are mainly used for attacks on Russian companies, the press service of the Doctor Web company said. In particular, they target emails with malicious content, exploit vulnerabilities in services accessible from the Internet, and attack the supply chain.

How to protect yourself from hackers

A striking trend at the beginning of 2025 was active attempts by hackers to gain access to IT systems of Russian companies by searching passwords, said Alexey Vishnyakov, technical director of the Solar 4RAYS Cyber Threat Research Center at Solar Group. At the same time, attackers tend to cyber espionage and sophisticated APT attacks, both to obtain valuable information and to destroy infrastructure, which can negatively affect the economy and security of the entire country.

"That is why we strongly recommend implementing comprehensive protection against cyber threats, which includes regular monitoring of incidents, checking services for vulnerabilities, observing password policies, monitoring leaks, and improving employee cybersecurity, because a successful social engineering attack is possible even in the most secure infrastructure," he said.

Photo: IZVESTIA/Artem Korotaev

In the case of password selection, companies need to understand which resources they will be selected for, Dr. Web added. These can be accounts for VPN access, as well as passwords to externally accessible services and devices.

Up to the seventh bot: Russia has entered the top 10 most hacker-attacked countries

The targets of the attackers were telecom, the financial sector and government organizations.

"The approach should be comprehensive: a policy for the durability of passwords to be installed, the introduction of key authorization, where possible," the company said. "It requires banning external authorization on services where it is not required for proper functioning, organizing access to services via a VPN, timely installing firmware updates for IoT devices and changing access passwords."

Experts noted that in recent years, it is often not a rough dictionary password selection that is used, but first of all passwords for accounts from recent leaks are being tested. In addition, password spraying is used when not many passwords for one account are selected, but many passwords are checked with one password.

Photo: IZVESTIA/Dmitry Korotaev

Access keys can be used instead of passwords, Roman Alabin pointed out.

— Device firmware and software should be updated to eliminate vulnerabilities. The software itself must be installed from trusted sources, otherwise there is a risk of opening access for intruders," he said. — It would not be superfluous to monitor logs for abnormal activity.

Two-factor authorization should also be used on all external web services, Viktor Ievlev added.

—Vulnerability management needs to be organized to manage vulnerabilities, find them and close them in a timely manner or apply compensatory measures," the expert emphasized.

Sergey Polunin noted the importance of working with the company's employees: their training in 2025 seems to be becoming the main way to prevent security problems.