- Статьи
- Internet and technology
- Digital weapon: Russia has become the most hacker-attacked country in the world
Digital weapon: Russia has become the most hacker-attacked country in the world
Since 2022, Russia has secured its status as the most hacker-attacked country in the world. The main change in the cyber threat landscape over the past three years has been the avalanche of attacks on domestic companies and the public sector by pro-Ukrainian groups, experts point out. Most often attackers attack industrial enterprises, telecom, construction companies and the IT sector. Read more - in the material "Izvestia".
Growing threat
Russia became the most attacked country in the world in 2022 and remains so to this day, said Dmitry Galov, head of Kaspersky GReAT in Russia. Shortly after the events of February 2022, dozens of hacker groups and hacktivists began targeting Russian organizations, as well as mass "attacks" on ordinary users.
- While previously it was possible to say that some types of organizations were attacked more often and some less often, now attackers are trying to hack almost everything they can reach," says Ivan Syukhin, head of the Solar 4Rays incident investigation team at Solar Group.
The number of successful attacks on Russian organizations in 2022 amounted to 220 - this is the data provided by Irina Zinovkina, head of analytical research at Positive Technologies. In 2023, their number decreased to 167. Meanwhile, in incomplete 2024, 217 attacks were recorded.
The targets of cyberattacks have also changed over the past three years, believes Ivan Syukhin. If in February 2022 pro-Ukrainian groups attacked organizations to obtain data, now they aim to damage infrastructure.
For example, cases of hacking organizations to cause maximum damage have become more frequent, the expert specifies. In this case, attackers disable IT systems, publish confidential data and seek to publicize these events as much as possible.
Asian groups also continue to spy on Russian companies and government organizations, Syukhin stresses.
- Unlike pro-Ukrainian groups, their tactics and techniques are aimed at maximum discreet presence in the attacked organization and hidden collection of confidential information," he explains.
In general, since 2022, more and more industries have become the focus of hackers' attention, according to Solar 4RAYS data.
- In addition to traditional targets (public sector, industry, finance, and IT), in 2024 we saw attacks on areas that cybercriminals had not previously shown much interest in. For example, religious institutions and companies involved in the agricultural industry," Syukhin lists.
According to Kaspersky Managed Detection and Response, in the first half of 2024, the number of critical cyber incidents in Russia and the CIS increased by 39% compared to the same period in 2023. The largest number of such incidents was experienced by organizations in telecommunications (more than 10-fold increase), construction (doubled) and IT (slight drop of about 10%).
Illegal activism
Another change in the cyber threat landscape since 2022 is the emergence of hacktivists in Russia, points out Denis Kuvshinov, head of the TI department at Positive Technologies' Expert Security Center (PT ESC).
- Hacktivists are groups of hackers who disagree with some geopolitical events. They usually conduct basic attacks, such as DDoS of websites, and may also publish various confidential documents," the expert explains.
At the moment, hacktivists are the main forces attacking Russia, he notes. In total, according to Positive Technologies, 35 hacktivist groups are active against the Russian Federation.
Most often such attackers do not demand ransom from companies for their actions, Denis Kuvshinov specifies. Until 2023, they published stolen data in their channels for free. Recently, however, attacks have become more intelligent and targeted - stolen information is used for further attacks.
According to the results of Solar JSOC monitoring, there was a surge of attacks by lone-wolf hacktivists in early 2022, confirms Ivan Syukhin. As a rule, they used simple DDoS or defacement of publicly important resources. The goal was not real damage, but to create a public outcry, he believes.
- However, in the beginning of 2023, it became obvious that there are fewer and fewer loners: they either stop their attacks in principle, or unite under the guidance of more experienced hackers, building up their knowledge and skills," the expert believes.
At the moment, in his opinion, the share of professional attackers, such as cyber mercenaries or pro-government groups, has grown. In contrast, there are fewer hacktivists.
- The share of investigations in which hacktivism and cyber hooliganism were the target of the attack has fallen from 46% to 11% over the past year," Syukhin cites statistics.
Atotal of 26 hacker groups attacking the Russian region are active today, Kuvshinov adds.
- The groups are traditionally engaged in espionage and theft of confidential data, which makes it difficult to distinguish them from hacktivists. The main difference between them is that hacktivists speak directly about the hack, while groups do not talk about the stolen data," the expert said.
Types of attacks
The most common threats to users include phishing, in particular targeting Telegram users, phone fraud and other social engineering methods, as well as malware, says Dmitry Galov.
The most basic scheme is sending an infected phishing email to the victim, recalls Denis Kuvshinov. A person receives such an email, opens the attachment, which may contain a hacker's tool, and infects the computer.
- Later, interaction with the control server begins, and hackers can "leak" data from the victim's computer or monitor what it does," the expert notes.
In addition, attackers can use Telegram to "leak" data from the victim's computer, as well as Discord, Roblox, Yandex Disk and other popular services.
- At the same time, attackers do not stand still and are constantly improving their techniques. For example, in 2023, we noted a sharp increase in attacks on users by hacking vendors and service providers - that is, organizations that have access to the victims' network. And attacks on companies have begun to use tunneling utilities to gain access to closed segments of organizations' networks," warns Dmitry Galov.
According to the results of investigations conducted by the Solar 4RAYS Center team, in 2024, the goal of 54% of attacks was espionage. At the same time, 20% of attacks were direct extortion (including data encryption) and cryptocurrency mining. Another 11% of cases, in turn, were related to the destruction of data of the attacked company.
- If we talk about the methods of initial penetration into the infrastructure, in 2024 the majority of successful attacks were associated with either exploiting vulnerabilities in Internet-accessible parts of the IT infrastructure of organizations, or using compromised employee credentials," says Ivan Syukhin.
Exploitation of web vulnerabilities used to be the absolute leader in the number of attacks (over 70%). However, against the background of massive data leaks that have occurred in recent years, a large number of work emails, logins and passwords have fallen into the hands of attackers, the expert points out. All of this has made account compromise another serious security problem.
Irina Zinovkina singles out encryptors, remote control VPOs, bootloaders, spyware, data deletion software, miners, etc. among the malicious software in attacks on Russian organizations.
Among the reasons why hackers achieve their goals, the specialist names the use of outdated OS and software versions, the lack of two-factor authentication when accessing corporate resources, insufficient network segmentation, insufficiently effective configuration of protection of specific points, the presence of vulnerable services on the external perimeter, insecure storage of confidential information and weak password policy.
Network self-defense
The use of outdated versions of operating systems and software is one of the key challenges in information security, experts agree. After 2022, many foreign vendors abruptly ceased their operations in the country, which caused a crisis of confidence in foreign software, confirms Dmitry Galov.
- Corporate users could have been left without protection from cyber threats if it had not been for timely support from Russian players. At the same time, it stimulated import substitution and rapid development of cybersecurity in Russia," the expert emphasizes.
This situation has forced Russian organizations to reconsider their approaches to cybersecurity and increase investments in this area.
- And this does not go without a trace: we can see that over the past few years the level of IS expertise among domestic companies, especially among large customers, has grown significantly. The need for expert solutions and quality sources of cyber intelligence data has grown significantly," the Izvestia interlocutor is convinced.
At the moment it is possible to make life as difficult as possible for hackers by building an echeloned defense, says Alexey Ledenev, head of product expertise at PT ESC. This is necessary for the cost of an attack to rise to a level at which the point of the attack would be lost.
In a broader sense, in order to protect against cyber threats, Ivan Syukhin recommends strictly controlling remote access to the infrastructure (especially for contractors) and being extremely responsible about password policy. It is important to use account leakage monitoring services and update them in time.
In addition, according to the expert, notifications of possible compromise from the National Computer Incident Coordination Center and private companies with expertise in information security should be taken seriously.
- It is also necessary to use advanced security tools (EDR, SIEM) along with classic security software to be able to monitor events in the infrastructure and detect unwanted activity in time," the Izvestia interlocutor said.
It is also important to timely assess compromise in case of a suspected cyberattack, promptly update all software used in the infrastructure, provide the in-house IS service with constant access to the latest information about the cyber threat landscape in a particular region, and improve cyber literacy of employees, summarizes Ivan Syukhin.
