- Статьи
- Internet and technology
- Scorched earth tactics: hackers attacking the Russian Federation have moved to total destruction of data
Scorched earth tactics: hackers attacking the Russian Federation have moved to total destruction of data
Pro-Ukrainian hackers are increasingly seeking to completely destroy data during attacks on Russian companies and government agencies. They went from a demonstrative effect to attract attention to purposefully causing maximum damage. This suggests that the nature of the cyber war waged against Russia has changed — it has become more systemic, sophisticated and destructive, experts say. What are the dangers of attacks aimed at destroying data, and how to protect yourself from them — in the Izvestia article.
A new round of cyber warfare
In 2025, according to Solar 4RAYS, 9.3 million cases of infection of Russian companies with malicious software (VPO) were recorded. Such incidents affected 38.5 thousand organizations.
Last year, 76% of critical cyber attacks were directed at infrastructure destruction at once, according to the strategic cyber threat review presented by Jet Infosystems. Against the background of the growing resistance of companies to DDoS attacks and the "devaluation" of defaces (hacks involving the replacement of website content), hackers have switched to scorched earth tactics: cryptographic viruses (44%) and vipers (32%), which completely destroy business, became the leaders among cyber threats that caused business disruption. data.
Attacks aimed at the irrevocable destruction of information resources have become increasingly common, the National Computer Incident Coordination Center (NCCC) has confirmed. Basically, we are talking about encrypting data using VPO, which then cannot be restored.
The essence of the attack lies in the fact that with the help of special malware, the attacker encrypts user files and renames them by adding a specific extension. It is impossible to recover data without a decryptor. Previously, criminals used this for digital extortion — for the transfer of a special key that allows access to data to be restored, a ransom was demanded from the victim.
Now, according to Petr Belov, deputy director of the NCC, hackers who encrypt data do not ask for money for their recovery. In fact, we are talking about the complete destruction of information using encryption.
Against the background of this trend, vipers began to gain popularity — an attack using such a VPO does not provide for the possibility of data recovery, the entire system fails.
The motives for the complete destruction of data as a result of a cyberattack may be different. This includes digital vandalism, sabotage, hiding traces of intrusion into the system, and stopping business processes. In the context of the ongoing cyber war against Russia, such an anti-terrorist operation is used to create a public outcry and psychological pressure, as well as cause economic damage, said Stanislav Pyzhov, head of the anti-terrorist operation analysis group at the Solar 4RAYS Cyber Threat Research Center at Solar Group. At the same time, noisy hacktivism, which was especially noticeable in 2022, is no longer coming to the fore, says Yan Blinov, incident response expert at Angara MTDR. The focus has shifted from a demonstrative effect to purposefully causing maximum damage to specific Russian organizations, with an emphasis on disrupting processes, data loss, service shutdowns, and long-term consequences for businesses and government agencies.
This, according to the interlocutor of the editorial board, suggests that the nature of cyber warfare against the Russian Federation has changed recently — it has become more systemic, sophisticated and destructive, and the goals, scope and methods have become noticeably more complex over time.
Geography of attacks
According to the Kaspersky Threat Intelligence Portal, there are now more than 100 unique hacker groups targeting Russian organizations. These are mainly APT groups (highly skilled hacker teams that carry out long-term, covert and targeted attacks) and hacktivists.
It is usually extremely difficult to establish the specific nationality of the attackers. Attackers use anonymizing infrastructure and other people's servers, deliberately confusing their tracks, Stanislav Pyzhov points out. Destructive attacks are often carried out by hacktivist groups with a distributed membership.
However, in the current situation in Russia, attacks from pro-Ukrainian and anti-Russian hacker groups, as well as related cybercrime groups, are most noticeable. Among such groups, Yan Blinov highlights Bearlyfy (Laboo.boo), which has been operating since the beginning of 2025, the BO Team, which some researchers associate with the main intelligence directorate of the Ministry of Defense of Ukraine, as well as the pro-Ukrainian 4B1D.
Notable groups include Shedding Zmiy, Lifting Zmiy, and Partisan Zmiy (the designation Zmiy is used to describe groups supposedly operating from the Eastern European region), Pyzhov adds. These are pro-Ukrainian associations whose activities are of a pronounced political nature.
The desire for destruction
The activity of pro-Ukrainian groups, which has shifted towards the irrevocable destruction of data, indicates a new round of cyber warfare that has unfolded since 2022. Such attacks pose one of the most dangerous threats to businesses and government agencies because they lead to critical financial and reputational losses.
— By disabling information systems, suspending production and operational processes, attackers seek to disrupt the stable operation of key enterprises for the economy. This can lead to prolonged paralysis in the work of organizations, disruptions in supply chains, serious economic losses, and even affect ordinary users," warns Georgy Kucherin, senior expert at Kaspersky Lab's Global Threat Research and Analysis Center.
Most often, the targets for attacks aimed at the complete destruction of information are not abstract "large companies", but those industries where failure quickly turns into real damage to people and the economy, confirms Yan Blinov. The most notable in 2025 were attacks on telecom and Internet service providers, air carriers and transportation companies, as well as electronic trading platforms.
"It is critical and massively used services that are the most vulnerable, and not just the classic "critical infrastructure" in the narrow sense: the more an organization is embedded in the daily life of society, the more noticeable the consequences of an attack," the expert explains.
However, incidents aimed at the complete destruction of information can affect not only various industries, but also organizations of different scales. Small businesses are also not immune from this, because, according to Stanislav Pyzhov, intruders do not have a clear prioritization — they attack those who can be hacked.
Meet me at the entrance point
The reason for the success of cyberattacks involving the destruction of data is mainly due to mistakes made during the construction of the infrastructure and its protection system. According to BI.ZONE Digital Forensics and Incident Response, the vast majority of companies face the same critical issues that create ideal conditions for intruders. The key errors are an uncontrolled perimeter (test servers, outdated VPN gateways, and unsecured web applications become a convenient entry point into the infrastructure for an attacker), lack of filtering in mail, failure to use two—factor authentication when connecting to a VPN, and unsecured access for contractors.
Therefore, it cannot be said that changing the nature of threats requires a radically new approach to protection. Modern systems are able to detect and block a significant part of attacks, but for many organizations this complex is simply not built: there are not enough specialists, there is not enough budget, the response and recovery processes are not debugged, and security measures are implemented fragmentarily, says Yan Blinov.
— Where the defense is built systematically, the attack can be quickly noticed and localized. Where there are gaps in processes and visibility, even a relatively simple operation can lead to serious consequences," he warns.
Defensive solutions are not able to reliably prevent a cyberattack — they create a foundation, but remain a passive barrier without regular monitoring, Stanislav Pyzhov confirms. Organizations without round-the-clock monitoring often do not notice an attack at an early stage, detecting the destruction of data after the fact the next morning.
Therefore, the most effective protection against the threat of losing data due to the actions of intruders is based on a comprehensive, layered system where technologies, processes and people work together, Blinov is convinced. It usually includes network segmentation, backup with recovery verification, privilege control, multi-factor authentication, event monitoring, vulnerability management, and a proven incident response plan.
— Isolation of critical segments, availability of immutable backups, regular recovery exercises, as well as staff awareness raising are especially important to protect against attacks aimed at destroying data. It is important not only to detect and localize the incident, but also the team's ability to quickly return services to working order after the attack," the expert emphasizes.
When building protection, Pyzhov recommends adhering to the Assumed Compromise principle — assuming that attackers will be able to penetrate the infrastructure sooner or later, and therefore all efforts should be devoted to ensuring the security of critical resources from compromise and destructive actions, rather than trying to avoid attacks.
It is important not only to implement advanced security solutions, but also to build information security processes in the organization, proactively approach the search for threats and pay attention to the level of security of contractors, which can potentially become a convenient entry point for attackers, summarizes Georgy Kucherin.
Переведено сервисом «Яндекс Переводчик»
