February brought alarming reports of Russian hackers linked to the GRU developing new attack methods and expanding their targets to European critical infrastructure. These actions suggest that Russia is preparing for a broader conflict with the West.
The distinction between state-backed hackers and cybercriminals is becoming increasingly blurred. This is especially true for Russia’s military intelligence agency, the GRU (APT44, Sandworm), which has begun using malware such as Radthief and Warzone—previously employed only by cybercriminals. The GRU is also responsible for a wave of cyberattacks on Ukraine’s critical infrastructure and industrial control systems, particularly targeting logistics and grain transportation. A Czech supplier company was among the victims.
Even more concerning is Russia’s intensified efforts to infiltrate European critical infrastructure. These attacks indicate potential preparations for a larger conflict with Western Europe, where disruptions to energy, transportation, defense industries, and government institutions could have severe consequences.
Sandworm has also adopted innovative cyber-espionage techniques, penetrating the communications of governments, corporations, and non-profit organizations. By exploiting encrypted platforms like Teams, WhatsApp, and Signal, attackers deploy a method called "device code phishing." Victims receive fraudulent group invitations or malicious QR codes that, once scanned, link their accounts to devices controlled by hackers—allowing real-time message interception. Meanwhile, another GRU unit (APT28, Fancy Bear) is expanding its cyber-espionage efforts from Central Asia to European countries.
Among other Russian cyber groups, the number of hacktivist actors—primarily engaged in DDoS attacks, website defacements, and doxing—declined last year. A key factor was the arrest of Pavel Durov and the subsequent expulsion of these groups from Telegram.
Before the most recent UK election, Russian hackers compromised the private email of Prime Minister Keir Starmer. The attack was attributed to Callisto (Coldriver, Seaborgium), a group controlled by the FSB. Alarmingly, Starmer had not enabled basic security measures such as two-factor authentication, activating it only after the breach.
After a long hiatus, the Belarusian cyber actor Ghostwriter launched a new campaign, targeting Belarusian activists and Ukrainian military and civilian authorities. The attacks involved Excel documents embedded with malicious macros.
Russian disinformation campaigns have increasingly targeted elections in democratic states, including recent votes in Germany and the upcoming presidential elections in Poland.
In Germany, disinformation efforts have focused on Robert Habeck (Greens) and Friedrich Merz (CDU). Fake articles and videos questioning Merz’s mental health were disseminated through counterfeit news websites and social media accounts. The German government admits its response capacity is limited due to the country’s strong free speech protections. Russian propaganda in Germany is further amplified by TikTok and X (formerly Twitter) algorithms, which promote far-right content.
In Poland, Russian operatives recruited locals, offering €3,000–4,000 to influence the election process.
While Russia spreads disinformation abroad, Belarus’s Lukashenko regime takes a different approach—completely shutting down internet access during elections to prevent mass protests like those triggered by previous election fraud.
A notable cyber incident followed the post-election protests in Tbilisi, Georgia, where a hacker manipulated public transport payment systems. As a result, buses played pro-European and pro-democracy songs, and the authorities were forced to suspend ticket payments, temporarily offering free public transport.
Ukraine has launched counter-cyber operations in response to Russian aggression. Ukrainian specialists targeted companies linked to Gazprom, causing server outages and financial losses in the millions. Russia also faced cyberattacks on its financial sector, including a breach at LANIT, a key IT service provider supporting the country’s banking technology.
Interestingly, Russia has also been targeted by its own allies. The Chinese hacking group Erudite Mogwai has conducted cyber-espionage operations against Russian government institutions and tech firms. Additionally, the Angry Likho group deployed the Lumma Stealer malware against Russian organizations via phishing emails containing fraudulent documents.
In response to Russian cyber aggression, the European Union sanctioned three GRU officers from Unit 29155 for their involvement in cyberattacks against Estonia. Meanwhile, the United States, the United Kingdom, and Australia sanctioned Russian hosting provider Zservers for supporting the ransomware group LockBit.
Australia also joined several Western nations in banning Kaspersky Lab software on government devices due to concerns over its ties to the Russian government.
BlackBasta, one of last year’s most active ransomware groups, appears to have disbanded. The breakup was likely triggered by internal conflicts, culminating in leaked internal communications on the dark web. A disgruntled member, opposed to attacks on Russian banks, exposed sensitive group information, fearing retaliation from Russian authorities. The leaks revealed organizational chaos—infighting, financial fraud, and cases where victims paid ransoms but never received decryption keys. BlackBasta now follows the fate of its predecessor, the Conti group, which similarly collapsed after internal leaks.
TOMÁŠ FLÍDR, February 28, 2025 – ANALYSIS
If you appreciate our work and wish to support aid efforts for Ukraine, please consider donating to our transparent account 2801169198/2010 or visiting our charity e-shop. You can also contribute to one of our projects on the Donio platform.
Powered by Froala Editor
