For years Russian hackers reportedly associated with the country's secret services have conducted numerous attacks against Western targets. But since Russia's invasion of Ukraine in February 2022 these attacks have stepped up, hitting targets in Ukraine, as well as its Western allies.

Leaders in cybercrime

Throughout much of the 2010s cyberattacks have been a significant component of Russia's so-called "hybrid war" against Ukraine, including DDoS attacks on Ukrainian state agencies and independent Russian media outlets.

Reports of proficient and unscrupulous Russian hackers operating globally have emerged over the last two decades, culminating in 2016 with their alleged involvement in hacking the US Democratic Party's email servers before that year's presidential election.

When Russia started waging war against Ukraine over two years ago, activities of government-sponsored hackers predictably increased, making Russia the world's most dangerous cybercrime country.

Over the last three years, Oxford University and the University of New South Wales in Canberra have conducted a study, assessing the most significant sources of cybercrime, and for the first time in history ranked countries according to the World Cybercrime Index (WCI). Based on the findings of the study, published in April 2024, Russia took first place.

 

Hitting targets in Ukraine

Since the Russian invasion of Ukraine, hackers allegedly linked to Russian secret services have been repeatedly accused of targeting Ukrainian companies and institutions.

Between January 2022 and November 2023 almost 4,000 cyberattacks against Ukrainian targets were recorded by the Computer Emergency Response Team of Ukraine, signifying a 300% increase on the same period before the war.

While Russia was still preparing its full-scale invasion, its hackers carried out a major cyberattack against Ukraine. On the night from January 13 to 14, 2022, nearly 100 websites of Ukrainian government organisations were attacked.

The attacked resources featured a picture with information that personal data of Ukrainians allegedly got into public access. A text in Polish was added, apparently to accuse Poland of the attack. However, the United Kingdom's intelligence services said that Russian military intelligence was "almost certainly" involved in the attack.

When Russia launched its first massive missile attack on Ukrainian power facilities in its autumn and winter campaign in 2022, missiles were not the only threat to the Ukrainian power grid that day. The Russia-linked hacker group called Sandworm also joined the attack.

According to cybersecurity firm Mandiant, Sandworm has been working for the Russian GRU (the Main Directorate of Intelligence) since at least 2009 and is one of the most experienced hacker groups that the Kremlin uses for attacks against what it considers enemies. Sandworm reportedly was behind attacks on the Ukrainian energy system in 2015 and 2016, which caused a major disruption to the country's electricity supplies.

 

Revenge against Ukraine's allies

Senior Russian officials have repeatedly said that in Ukraine, Russia is basically fighting against the entire West. Therefore cyberattacks against Ukraine's Western allies have long become normal practice.

In late January 2023, the German Federal Office for Information Security confirmed that the Russian criminal hacker group Killnet had organised DDoS attacks on the websites of German authorities, airports and financial organisations.

Shortly after Germany announced its decision to transfer Leopard 2 tanks to Ukraine that month, Killnet's Telegram channel reported the launch of a full-scale cyberattack against Germany.

Among the targets of their cyberattacks, Killnet hackers named the Ministry of Defence, various German law enforcement and security agencies, government websites, the Ministry of Finance and Deutsche Bank, as well as nine of the country's largest airports, particularly in Berlin, Munich, Düsseldorf, Hamburg and Dresden. Eventually, the attack was repelled without serious consequences, although disruptions to the work of agencies were still observed.

Czechia, another staunch ally of Ukraine, has also been targeted by Russian hackers. In May 2024, the Czech foreign ministry accused the hacker group APT28 (also known as Fancy Bear, Sofacy or Pawn Storm and linked to Russian authorities) of attacking various Czech government institutions.

According to the ministry, some Czech institutions had been subjected to cyberattacks using a vulnerability in the Microsoft Outlook service since 2023. The ministry did not say which institutions were attacked, noting only that "cyberattacks on political actors, state organisations and infrastructure" posed a threat to national security and democratic processes in the country.

The same hacker group APT28 was allegedly behind a cyberattack on Polish government agencies in May 2024. The state-run National Research Institute (NASK) said that the malware inserted by APT28 had targeted numerous Polish government institutions.

"Technical indicators and similarities with past attacks allowed us to identify the APT28 group,” NASK commented.

Incidentally, APT28 was also allegedly involved in a huge recent personal data breach affecting US government agencies. Back then, APT28 hackers exploited a vulnerability in MOVEit that allowed the Clop malware to steal sensitive data from thousands of organisations that stored customer and user data this way.

The problem was first discovered in May 2023, and by the autumn of 2023 more than 2,500 organisations had confirmed data breaches of at least 66mn people, although the actual number of people affected is likely much higher.

In June 2023, the website of the port of the Dutch city of Rotterdam, the largest port in all of Europe, was targeted by Russian-linked hackers.

The Port of Rotterdam was informed by the Dutch National Cyber Security Centre that pro-Russian groups were responsible for the attack. Several other Dutch ports, including Amsterdam and Groningen, simultaneously faced similar DDoS attacks.

RTL reported that a hacker group called NoName05 was behind the attack. Its representatives said the cyberstrike was their response to Dutch plans to buy Swiss tanks for Ukraine. The attacks were carried out from Russian and Serbian IP addresses.

The Dutch intelligence services had previously warned that Dutch maritime infrastructure could be threatened by Russia.

Eventually, the website of the port of Amsterdam went down for more than an hour on June 6, 2023, and the ports of Groningen suffered network outages for two days.

 

Hacked conversations and propaganda

Russian hackers have also been active in an information war the country is leading against the West, attempting to hack conversations that could be used for propaganda purposes and inserting pro-Kremlin content into European media outlets.

In early March 2024, Margarita Simonyan, chief editor of the Russian propaganda network RT, posted on her social media a 38-minute audio leak featuring a discussion between several high-ranking German air force officers. In the audio clip, they were apparently discussing hypothetically how Taurus long-range cruise missiles, which have long been requested by Ukraine, could be used against invading Russian forces.

A possible delivery of Taurus missiles to Ukraine was a very divisive issue in Germany at the time, and the publication of the recording, which German authorities said had been apparently interfered with by Russian hackers, heated up the controversy.

As it turned out, a German military officer used a WiFi connection at a Singapore hotel to join a conference call, which made its interception possible.

Apart from hacking conversations, Russian hackers have been using their malicious tools to insert pro-Russian propaganda messages into European media outlets.

Last month, the Polish news agency PAP published a fake news report about "partial mobilisation to send troops to Ukraine" attributed to the country's Prime Minister Donald Tusk. Polish authorities explained the publication, which was immediately picked up by Russian propaganda outlets by a cyberattack carried out by Russian hackers.

A similar cyberattack was reported in April and was targeted against the Ukrainian TV channel Freedom, rebroadcasted in Latvia by the Tet platform. For nearly 20 minutes the channel's regular broadcast was replaced with a video of Russian singer Oleg Gazmanov performing songs banned in Latvia and similar pro-Kremlin videos. Latvia's information technology security centre Cert.lv said that the incident had occurred as a result of a cyberattack against the satellite providing broadcasting.