Secret payer: hacker attacks for the purpose of espionage have become more frequent in Russia

Hacker groups have begun to more actively try to infiltrate companies for espionage — the share of such attacks has already increased to 42% since the beginning of the year, cybersecurity companies reported. At the same time, for the whole of 2025, the volume of such attacks was 37%. Industrial, financial and transport organizations are under attack now. This year, the attackers' goals have also changed: previously, they demanded a ransom for the preservation of the infrastructure, but now they increasingly intend to simply destroy it, without any conditions. The information about how hackers' behavior has changed and what methods they use is in the Izvestia article.

Why cyber espionage is on the rise

In the first quarter, 42% of cyber attacks were carried out for the purpose of espionage, BI.ZONE Threat Intelligence specialists told Izvestia. At the same time, according to the Threat Zone 2026 study, this figure was 37% over the past year.

In particular, the Paper Werewolf group has become more active — it attacks the Russian industrial, financial and transport sectors, as well as develops malware. These attackers are characterized by a long-term hidden presence in the infrastructure.

— The group is actively experimenting with attack chains, using phishing PDF documents, installers and various uploaders to deliver malicious load, — said the head of BI.ZONE Threat Intelligence Oleg Skulkin. — The cluster has a high level of training and technical maturity.

In addition, according to the expert, members of the group have created their own styler (a type of malware) that allows them to collect data from Telegram, files from local, network and removable drives, as well as steal credentials from browsers.

One of the Paper Werewolf campaigns was aimed at industrial and financial organizations. By opening the file attached to the email, the victims were actually launching a remote access Trojan. The malware made it possible to collect system information about a compromised device, upload and send files to a command and control server, and execute commands. The whole process was disguised as the installation of Adobe Acrobat Reader.

Natalia Shornikova, a leading analyst at Cyber Threat Intelligence at Kaspersky Lab, confirmed the increase in the number of attacks, the main purpose of which is cyber espionage.

"We recently discovered a new Geo Likho group, which is mainly aimed at the Russian transport sector — aviation, shipping companies," she said. — In the last seven months alone, attackers have carried out more than 200 attacks in our country.

According to her, the attackers use targeted phishing for initial access: the victim is sent a letter asking them to review the contract. After infecting the network, attackers seek to gain a foothold in the compromised infrastructure for a long time in order to monitor the target and steal data.

"They can maintain their presence there for several weeks or even months,— Natalia Shornikova added. — Attackers collect data on the victim's computer and removable media: for example, system logs, presentations and other office files, images, and periodically take screenshots.

Geo Likho steals not only documents from organizations, but also additional information: a list of installed programs, drivers, and operating system components. Another example is the HeartlessSoul group, which has been attacking the Russian public sector and industry since 2025 for the sake of cyber espionage. The attackers use traditional methods of infiltrating the company.

Everything for a ban: cybercriminals use new deception schemes with a premium Telegram subscription

Why you should not trust offers of unlimited access to the messenger

How else do hackers attack

The trend towards increased cyber espionage was also confirmed by Ivan Korolev, a leading expert at Doctor Web. According to him, any penetration into the company's infrastructure is usually aimed at stealing data or encrypting it.

"The latter only happens in cases where a group of attackers initially aims to obtain a ransom," he noted. — When data is stolen, the attackers receive money from the customers, and when encrypted, it is already from the victim as a ransom. It requires additional infrastructure and effort, so theft is more profitable for intruders.

According to him, pro-Ukrainian groups, including those based in Asian countries, are actively engaged in such attacks. These include, for example, Rare Wolf, which is currently considered the most active, as well as exCobalt. Among the financially motivated cyber groups, the expert noted Head Mare, specializing in data encryption, and Watch Wolf, whose members are engaged in information theft.

— There are several other similar groups, but they work without any special bursts of activity, just systematically, — Ivan Korolev added. — We have identified a financially motivated group that steals funds through remote banking services. She uploaded corporate documents in large volume.

There is also a trend towards the complete destruction of the victim's infrastructure without a prior demand for ransom, said Lada Antipova, head of the Response and Digital Forensics Department at Angara MTDR.

"We have encountered numerous groups, including well—known ones," she said. — In particular, Space Pirates and RedCurl. The first is associated with intruders from Southeast Asia. The second group most often attacks financial, insurance, construction, and retail sales organizations in Russia and other countries.

The current situation is related to the geopolitical agenda, during which espionage groups are becoming more active, wishing to steal information that is a state secret, the press service of the Solar Group said.

In 2025, attackers most often attacked organizations in the public sector (39%) and industry (17%). IT companies were also under attack (13%) — since last year, the share of complex attacks on industry organizations has increased 2.1 times. In addition, 7% of cyber incidents occurred at energy enterprises. A quarter of all attacks started through a trusting relationship.

"The most popular way to penetrate the contractor's infrastructure is to exploit vulnerabilities in web applications, the share of this vector was 31% last year," the company added. —Another 30% of complex incidents were caused by compromised services or employee accounts, and 15% were caused by phishing."

The economics of leaks: how stolen personal data gets back into the hands of scammers

Why even outdated databases remain a dangerous commodity on the shadow market

Why companies are vulnerable

Cyber espionage is becoming more profitable than other types of attacks, since internal information about customers, developments, technologies, as well as any other confidential information is valuable for the black market, added Alexander Dvoelozhkov, an expert at Infosecurity's digital threat analysis and assessment department (part of Softline Solutions, Softline Group).

— The main targets of the attacks are high—tech industrial enterprises, financial and transport organizations. Attackers are trying to steal confidential information from them, such as know-how, design drawings, personal data of clients, financial information, as well as strategic plans of companies," the expert added. — The information obtained is used to blackmail organizations or sell them to competitors.

The majority of Russian companies remain vulnerable due to errors in the configuration and operation of protection systems, said Semyon Rogachev, head of the Incident Response Department at Bastion. According to him, up to 80% of such cases reach the target of intruders.

— Some companies believe that if cybercriminals cannot penetrate the external perimeter, then the IT infrastructure is protected, - said Semyon Rogachev. "However, this approach creates a false sense of security. Access to the internal network can also be obtained using social engineering or contractor accounts.

Penetration into companies most often occurs through phishing emails to employees, through attacks on supply chains, as well as through combined attacks, when, for example, DDoS is used as a distraction, added Alexey Kolodka, director of Giant Computer Systems.

Many cyber incidents begin with preliminary espionage: attackers study the infrastructure, employees, and processes, choosing the most vulnerable entry point.