Hackers, who attack Ukrainian civil, military and government organizations, as well as russian
hacktivists/cyber criminals, are real people, who live their lives, who have first and last names,
who have families, who travel. They have bosses with their specific cultures and management
approaches, they have old habits, favorite tools, and techniques they use to simplify their lives.
In this report, we attempted to explain our observations of the human context. Since 2014,
Ukraine has been a testing ground for russia’s cyber capabilities, providing a possibility for
others to observe and learn about their tactics, techniques, and procedures. We had many serious
breaches that helped the world to better prepare for future attacks.
During 2022, we demonstrated great resilience with the help of our partners, but we have many
new lessons to learn from events that happened over the last year, which we would like to share
with our friends and the whole cybersecurity community.
Understanding of those events provides insight into the shifting dynamics of adversary tactics,
which is critical for staying ahead of today’s threats. Attacks are growing more destructive,
causing mass disruption in all aspects of our daily lives. This is the challenge we’ve accepted and a
fight that we will win together. I hope you find this report informative and that it gives you the same insights that I got: to be better prepared to stop adversaries from destroying our way of life and to provide strategic recommendations to organizations worldwide.
Victor Zhora
Deputy Chairman,
State Service of Special Communications
and Information Protection of Ukraine
This report is addressed to those whose activities are somehow associated with cybersecurity:
information security specialists in all the sectors of the Ukrainian critical infrastructure, those whose
companies can be connected with the services provided to the critical infrastructure and critical information infrastructure facilities of Ukraine, decision-makers for security of their facilities (including cybersecurity), in particular top managers of the central executive authorities of Ukraine, as well as our partners all over the world since last year we saw global active expansion of russia’s cyber aggression.
This report contains information on the activity of russian hackers in Ukraine during the second half of 2022 and compares it with their activity during the first half, analyzes the purposes and motives of russian hackers as well as the tools they use.
All the attacks on our country’s infrastructure are organized by the specified groups with specific purposes; if we are well aware of the enemy’s motivation and tools, we can forecast quite confidently
which segments and sectors are most threatened by russian hackers. The purpose of this report is to analyze these connections.
During the second half of 2022, we recorded a shift in the focus of russian hackers from the media and
telecommunications industries, which were among the main targets at the beginning of the war, to the energy system, which also turned into one of the principal targets of russia’s missile attacks since October last year. Moreover, the purposes of russian hackers have changed as well, from a large quantity of attacks aimed at disruption to spying and data theft. This indicates that the russian authorities are aware of the importance of the cyber component for their military operations.
Following the study, we recommend to the companies and organizations of potential interest to russian hackers to pay more attention to protection against attacks via their partners and suppliers, protection of web resources, vulnerability control and phishing.
Throughout our engagement, CERT-UA has observed that russia-aligned cyber operations use several common tactics, techniques, and procedures (TTPs) to execute their intrusions. We have been able to turn these observations into actionable guidance for network defenders and security teams. Also, we would like to share the lessons learned and make our hypotheses available for discussion in the wider information security community.
