Code summary: how cyber attacks in Russia have changed in 2025
In 2025, the cyberattack landscape in Russia has undergone significant changes, experts have reported. The attackers' actions became more destructive, they actively used cryptographers, and also launched coordinated companies with several participants. For more information about how cyber attacks in Russia have changed in 2025, what tools have joined the hackers' arsenal and what has helped to counteract them in the past months, see the Izvestia article.
What are the key trends of cyber attacks in 2025
In 2025, the attackers' actions began to be more destructive, Kirill Mitrofanov, head of the Cyber Threat Intelligence analytics team at Kaspersky Lab, told Izvestia. The attackers also actively used cryptographers — at the junction of the third and fourth quarters, the activity of their operators traditionally increased, as well as vipers, that is, malicious software (VPO) to destroy the victims' infrastructure.
"Sometimes attackers used both malware at once: first they encrypted the data, and then they erased it," says the expert. — In addition, we are increasingly seeing coordinated campaigns involving multiple actors: one group provides access, another consolidates its presence, and the third is engaged in causing damage. This complicates incident investigation and attribution.
As Kirill Mitrofanov notes, the number of attacks through contractors is also growing. This way, attackers gain access to several potential victims at once. In turn, Fyodor Dbar, commercial director of the Security Code company, points out that in the first three quarters of 2025, attackers began to actively use several attack vectors at once, combining various methods.
So, the main categories of attacks included VPO, C2 (Command and control), when hackers use special infrastructure to manage infected devices, as well as phishing.
What tools appeared in the arsenal of hackers in 2025
Over the past months, attackers have become more focused on long-term campaigns, during which they use various automated tools, says Fedor Dbar. The goal is not so much to break through the security perimeter as to penetrate as deeply as possible and cause a critical collapse of the target IT infrastructure.
"Perhaps the main change in 2025 is that attackers are gradually beginning to master the malicious potential of GPT services," Stanislav Pyzhov, head of the malware analysis group at the Solar 4RAYS Cyber Threat Research Center at Solar Group, said in an interview with Izvestia. — So far, this is not a massive phenomenon, but we have already encountered malware code, at least some of which, in our opinion, could have been written using vibe coding.
Kirill Mitrofanov also points out that groups that have not previously used their own malware are starting to create their own tools, and in some cases they use artificial intelligence (AI) to develop them.
In turn, R-Vision technical account manager Alexander Vinokurov notes that sometimes attackers embed AI directly into malware: such "adaptive" viruses analyze the environment, adjust to the configuration of the infrastructure and find individual ways to bypass the protective mechanisms. This dramatically increases their effectiveness and reduces the likelihood of detection.
Among other innovations, Stanislav Pyzhov highlights the more active use of the Rust language by intruders to create malware. So far, this is a problem for the information security industry, since analyzing malware samples written in Rust is more difficult than samples in any other language. This seriously hinders and slows down the development of protective measures against such pests.
Which targets were first attacked by hackers in 2025
Year after year, cybersecurity experts observe that attackers go to places where there is money or confidential information that can be sold or used to carry out other attacks, says Stanislav Pyzhov. 2025 was no exception: attackers hunted primarily for the most potentially "profitable" industries from this point of view — organizations from the public sector., healthcare, industry, and the fuel and energy complex (fuel and energy complex).
"Attacks on the public sector and the fuel and energy sector are caused, among other things, by geopolitics — both areas have a strong impact on the country's economy, and, accordingly, data from such organizations are of high value to attackers working in the interests of foreign intelligence services or wishing to cause significant damage," the source said.
In addition, according to Alexander Vinokurov, as businesses have moved massively to cloud services and distributed storage environments, the attack vector has also shifted towards cloud infrastructure. At the same time, the attractiveness of the crypto infrastructure for attackers is growing. The amount of capital stored in digital assets is increasing, and this makes the industry one of the most profitable for cybercriminals.
At the same time, the activity of cybercriminals throughout 2025 was not uniform. According to Alexander Pyzhov, there was a relative lull in the first half of the year: many groups decreased their activity, and the number of investigations of large-scale incidents in the practice of cybersecurity specialists decreased. However, in July, the situation began to change: there were a series of statements about large-scale attacks against retailers and other companies. In terms of consequences, it was one of the busiest periods of the year.
— The second intense period is happening right now. The holiday sales period, which started on November 11 and ends at the end of December, is traditionally accompanied by the activation of intruders aimed at stealing money: attacks by banking Trojans, fraudulent schemes that parasitize discount offers, and other similar threats are most relevant during the sale period, the expert notes.
Which methods of protection against cyber attacks have become the most relevant
Over the past months of 2025, the network security segment has become the most in demand: According to Fedor Dbar, companies pay the most attention to the implementation of multi-factor authentication tools, network traffic analysis, threat detection automation, and IT infrastructure segmentation.
"In addition to the development of standard security tools, the Russian information security market is experiencing an increase in the popularity of managed security services that provide round—the—clock monitoring and response, especially for small and medium-sized businesses," Irina Zinovkina, head of analytical research at Positive Technologies, said in an interview with Izvestia.
According to the expert, several factors contribute to this, including the shortage of qualified personnel, the complexity of modern cyber threats, economic efficiency (since creating and maintaining your own SOC requires significant investments), as well as rapid incident response and protection of distributed infrastructures and hybrid environments.
In general, it is worth noting that the wave of "template" attacks on small and medium-sized businesses in the coming years will force such organizations to increase their level of security. In the next five years, there may be a situation in which low-skilled cybercriminals will look for businesses that neglect security to carry out simple attacks that are accessible to their skill level, Irina Zinovkina notes.
— Today, more and more companies are switching to the "default security" model, introducing tools for code analysis, automated testing and security control at the development stage, — concludes Alexander Vinokurov. — This approach allows you to detect vulnerabilities before the product is put into operation and significantly reduces the risks of critical incidents.
Переведено сервисом «Яндекс Переводчик»
