Question of the group: Ukrainian hackers are massively attacking Russians with the help of AI

Ukrainian hackers began to regularly use AI solutions to attack Russians - the number of such attacks increased by 48% in the first five months of 2025 compared to the same period in 2024. The leader in the number of such attacks was the Librarian Ghouls group, which is based on hackers from Poland and Ukraine. They do not develop their own programs, but buy ready-made solutions on the darknet and refine them with the help of illegal AI agents.

Massive cyber attacks from Ukraine

In 2025, Russians are systematically subjected to massive attacks from hackers from Eastern Europe, in particular, from Ukraine and Poland. The number of such attacks increased by 48% in the first five months of the year, with illegal platforms with AI elements that facilitate the creation of malware becoming a key factor. This was reported to Izvestia by Alexander Matveev, director of the Center for Monitoring and countering cyber attacks at IZ:SOC Informzashchita.

Photo: IZVESTIA/Anna Selina

— AI is capable of creating malware that hackers use to attack companies. To do this, using neural networks, it is necessary to find special models on the darknet that have removed ethical barriers. The subscription for such assistants is usually $200 per month," he explained.

AI-generated viruses are mainly used by novice hackers who are unable to create a complex program on their own. This is the main problem of using technology to develop malware — it physically increases the number of intruders, which is why the number of information security incidents is growing, the expert noted. Another factor was the large-scale spread of the criminal Ransomware-as-a-Service (RaaS, that is, "extortion as a service") model, which is due to its cheapness due to the use of AI tools.

Against hacking: Rostec recorded 3 trillion information security events in a year

How hackers from unfriendly countries are trying to weaken the Russian military-industrial complex

According to Alexander Matveev, the most dangerous group is called Librarian Ghouls, which accounts for 15-20% of extortion attacks on Russian organizations.

Attribution of cyber attacks is complex and often politicized. Hacker groups like Librarian Ghouls are often linked to a political agenda, so there is nothing surprising in such "selectivity" towards the Russian Federation," explained Igor Bederov, director of the cyber research department at T.Hunter.

Photo: Global Look Press/Julian Stratenschulte

The group is actively gaining momentum and differs in that it uses ready-made programs from the darknet created with the help of illegal AI programs. The backbone is made up of hackers from Eastern Europe, he added.

According to Informzashchita, in 40% of cases, vulnerabilities in software and hardware solutions responsible for monitoring and managing physical devices become the entry point. Many enterprises are in the process of digitalization, which is what the attackers are using. Thus, in the first quarter of 2025, the demand for vulnerability management services in Russia increased by 30%. Industry remains the most attacked industry for the second year in a row, accounting for about 23% of all attacks. Retail (12%), telecom (10%), the IT sector and government agencies (9% each) are also at high risk.

— The Librarian Ghouls group has been operating since about December 2024, with mainly industrial enterprises and educational institutions in its area of interest. The attacks are carried out very cunningly: phishing emails are sent to victims with encrypted archives containing seemingly official documents. By opening the attachment, the user launches a script chain that installs third-party covert operation software and utilities for removing confidential data and cryptocurrency keys on his PC. After collecting the necessary information, the attackers quietly install a cryptocurrency miner on the victim's machine and remove their traces. This makes the group's attacks especially dangerous: companies may not even notice the data leak until hackers demand a ransom or start using the stolen items," Igor Bederov added.

What are the dangers of hacking and cyberattacks?

With the help of AI, you can copy any website down to the smallest detail, which is why it is often difficult to identify a fake. And development assistants allow you to quickly create entire CRM systems to put deception on stream, said Ilya Sklyuyev, a specialist in Non-artificial Intelligence.

Photo: IZVESTIA/Dmitry Korotaev

The number of new encryption modifications has almost quadrupled compared to the end of 2024, Igor Bederov noted. According to him, more than 85 thousand users have encountered ransomware. At the same time, in the context of a geopolitical conflict, the number of aggressor groups and the frequency of their attacks are only increasing.

Hackers are actively switching to double/triple extortion strategies when, along with data encryption, they threaten to release stolen information in order to maximize pressure on the victim and increase the chances of receiving a ransom, he added.

The Mafia is waking up: why hackers are switching to nighttime cyber attacks

Cybercriminals expect to remain unnoticed after midnight

In the second quarter of 2025, experts from the cyber intelligence department of F6 observe a consistently high activity of encryption groups. They have two goals: to get a ransom or to cause maximum damage to organizations. Experts have recorded a large number of attacks targeting Russia. In particular, illegal actions on the part of DarkStar (ex. Shadow/c0met), Mimic ransom and Proton/Shinra.

Photo: Global Look Press/Silas Stein

— Most of the groups attacking Russia in the second quarter are still using the leaked LockBit 3 Black and Babuk cryptographers. The main types of damage that can be caused with their help are theft of information, disclosure of information about the organization and, as a result, a ransom demand, which leads to reputational and financial losses, the organization's press service explained.

According to Alexey Shcherbakov, technical director of the Lukomorye IT ecosystem, slogans of the struggle for justice and against large corporations are often seen in associations such as Librarian Ghouls, but in fact they simply hide behind these theses for commercial activities. According to the expert, their activities are often used in the interests of third parties — with the help of targeted information stuffing, they can be controlled, achieving a certain effect at the right time for fraudsters.

Informzashchita experts remind you that the main rule is not to pay extortionists. Practice shows that by paying once, a company is highly likely to face a repeat attack.