Content
|
Hackers
Main article: Hackers
Chronicle
2025
14 cyber groups that most actively carry out attacks on Russian companies
The Kaspersky Cyber Threat Intelligence team identified 14 cyber groups that most actively carry out attacks on Russian organizations. Among them are hacktivists who appeared in the domestic cyberlandschaft after 2022 and publicly position themselves as pro-Ukrainian formations. For the first time, the researchers conducted a comprehensive technical analysis of the tactics, methods and procedures of these attackers, and also confirmed the existence of ties between groups. The study was published on September 4, 2025.
According to the press service of Kaspersky Lab, experts have grouped attackers into three clusters based on motivation and the tools used. The classification made it possible to identify systemic patterns in the activities of cybercriminals and their coordination during operations against Russian companies.
The first cluster is composed of hacktivists, acting for ideological reasons in order to destroy the corporate infrastructure in Russia. This category includes groupings:
- TWELVE
- BlackJack
- Head Mare
- C.A.S
- Crypt Ghouls
The second cluster is represented by APT groups specializing in complex targeted cyber espionage campaigns. These include:
- Awaken Likho
- Angry Likho
- GOFFEE
- Cloud Atlas
- Librarian Likho (formerly known as Librarian Ghouls)
- Mythic Likho
- XDSpy
The third hybrid cluster unites attackers with unique methods of work:
- BO TEAM
- Cyberpartisans
The study proved the interaction of most of the studied formations. Groups use identical tools and distribute roles in operations against Russian enterprises. Some provide initial access to systems, others are engaged in fixing in networks and causing damage to targets.[1]
Who and where is attacking Russia? TAdviser released a map of cyber groups and their targets
In Russia, after the imposition of sanctions, the digitalization of all industries not only did not stop, it accelerated, since it became clear to everyone that it was necessary to switch to a new technological base - clouds, web services and container technologies of mainly domestic production. And the more digital public administration, finance and industry are, the more they attract the attention of hackers from around the world. That is why Russian information systems attack not only cyber warfare from unfriendly countries, but also groups based in friendly countries and even in Russia itself.
Attribution
It should be noted that determining the location of a particular grouping (attribution) is sufficient conditionally. Some research companies at one time identified and described the tactics and techniques of some hackers and tied them to certain countries. This was often done by the encodings or hours of activity used. If the Russian language was used, then the link to Russia followed, although Ukrainian and Belarusian specialists can also use the same Russian language and live in about the same hour zone. This is also the case with Asian cyber groups.
Since no one denied the binding of groups to specific countries, everyone else also began to refer to the already known attribution of hackers. Further, if the new group borrowed something from old malicious techniques or tools, it was attributed the same attributes that the parent group had. It should be noted that if the group is localized in a particular country, then this does not mean that the government of this country is cooperating with it. In our map, we tried to adhere to the names of the groups that Russian researchers gave in their reports.
However, some hacker groups used methods and tools that could be tied to several country groups, so their presence could not be localized. There were also completely new hacker communities that could be international. For example, when using legitimate remote control tools or network administration, it is difficult to determine the style of attack, and therefore bind it to a specific group or school. Therefore, there are quite a few names in our map that do not have a clear localization.
Attack targets
The map is based on analytical reports of Russian companies such as Kaspersky Lab, BI.Zone or F6, but the mention in foreign reports was also recorded. These reviews quite often indicate approximate goals that are pursued by attackers of a particular group. We structured them into five large clusters:
- State. This includes not only state information systems, but also regional and municipal sites, resources of state institutions and departments, as well as other digital assets, one way or another related to the activities of the state. In general, the failure of such resources can affect the quality of public administration;
- Industrial. Of course, here most often attacks occur on defense industry enterprises, but the oil and gas and energy sectors are also classified by us as industrial facilities, attacks on which can lead to serious consequences, including for citizens;
- Scientific. This category includes educational resources, as well as various scientific institutions that are closely related to industry. They are engaged in the development of intellectual property, which is important for the economy of the state. Their disabling is rarely noticed, but attacks on them are often associated with espionage and influence on the development of industrial technologies and, in general, the country's economy;
- Commercial. This category includes all commercial enterprises, such as retailers, marketplaces, digital platforms, providers, IT companies and other commercial enterprises that provide services. The failure of these resources mainly results in economic losses and inconveniences only for their customers;
- Banking. Although banks and insurance companies can be classified as commercial - they also provide services. However, their failure affects not only the company itself, but can cause financial damage to a large segment of the economy, so we have separated them into a separate category.
However, not all reports on the activities of groups indicated the final goals of hacker activities. Therefore, many groups are not tied to specific industry goals. This generally means that their attacks are not targeted - they have been tied to other parameters.
The fame of the groups
Most hacker groups do not like to glow, so as not to attract attention to their activities. However, there are organizations that, on the contrary, try to talk as widely as possible about their operations. Often these are ransomware platforms and pro-Ukrainian groups. At the same time, we tried to use not their self-names to designate hacker associations, but the names that Russian researchers gave them in their reviews of techniques and tactics.
To somehow determine the visibility of the group, we used the Yandex Wordstat[2] service]. It provides statistics on the requests of users that they type in the Yandex search engine. The use of group names in a search query indicates some fame of a particular group, so the number of search queries typed by users for a particular group was regarded by us as an indicator of its fame.
However, for some groups, this method of determining the popularity index does not work. This refers to the names of groups that match popular names such as Lazarus or Sauron. In this case, I had to use my own expert assessment of the level of popularity. So the popularity index is, rather, a synthetic indicator that characterizes the fame of a particular group, and not its "merit."
Attack on the country in cinema and in life
Netflix in February 2025 released a mini-series called Zero Day, which attempted to simulate the situation of an unprecedented attack on critical US infrastructure. The authors relied heavily on examples from life, but also did not do without obvious exaggerations. TAdviser spoke with cybersecurity experts and traced the parallels between the plot of the series and reality, and also assessed how the built model of a large-scale cyber attack can be implemented in reality.
Together with TAdviser, the series was watched and discussed in podcast format:
- Gennady Sazonov, Head of Incident Investigation at Solar 4Rays Center, Solar Group of Companies
- Evgeny Chunikhin, Business Head of Cyber Intelligence at F6
Watch the podcast on VK Video and in Rutube.
A text overview is available from the link.
2024
A new hacker group GoldenJackal has been identified, attacking government agencies isolated from the Internet
In early October 2024, researchers cyber security ESET discovered new tools used by the hacker group GoldenJackal against governmental and diplomatic institutions in the To Europe Middle East and South. Asia More here
A new cyber group has been identified that uses 500,000 domains to attack companies around the world
On July 17, 2024, Infoblox specialists announced the identification of the Revolver Rabbit cyber group, which registered more than 500 thousand domain names for information theft campaigns. Attackers attack systems running Windows and macOS. Read more here
2023: Israeli hacker group that influenced elections around the world revealed
In mid-February 2023, it became known about the Israeli hacker group Team Jorge, which manipulated more than 30 elections around the world using cyber attacks, sabotage and automated disinformation on social networks. The group is led by former Israeli intelligence officer Tal Hanan. Read more here.
2020: North Korea hacker group Kimsuky attacks Russian military-industrial complex enterprises
On October 19, 2020, it became known about hacker attacks on military and industrial enterprises in. Russia A North Korean group of cybercriminals Kimsuky conducted malicious mailings in the spring, including through social networks, to obtain confidential information from aerospace and defense companies, Anastasia To the businessman Group-IB Tikhonova, head of the complex threats research department, said. More. here
See also
Site Control and Blocking
- Internet censorship. World experience
- Censorship (control) on the Internet. China Experience, China Computer Emergency Response Team (CERT)
- Censorship (control) on the Internet. Experience of Russia, Roskomnadzor Policy on Internet Control, GRCC
- Requests from security officials for telephone and bank data in Russia
- Runet Regulation Act
- National Internet Traffic Filtering System (NaSFIT)
- How to get around internet censorship at home and in the office: 5 easy ways
- Blocking sites in Russia
- Auditor - site blocking control system in Russia
Anonymity
- Darknet (shadow internet, DarkNet)
- VPN and privacy (anonymity, anonymizers)
- VPN - Virtual Private Networks
- SORM (System of operational-search measures)
- State System for Detection, Prevention and Elimination of Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks)
- Yastreb M Statistika of telephone conversations
Critical infrastructure
- Digital economy of Russia
- E-Government of Russia
- Information security of the digital economy of Russia
- Protection of Russia's critical information infrastructure
- Law on Security of Critical Information Infrastructure of the Russian Federation
- Fundamentals of the state policy of the Russian Federation in the field of international information security
- Russia's Information Security Doctrine
- Russian National Security Strategy
- Agreement of the CIS countries in the fight against crimes in the field of information technology
- Autonomous Internet in Russia
- Cyber police of Russia for information security training
- National Biometric Platform (NBP)
- Unified Biometric System (UBS) of Bank Customer Data
- Biometric identification (Russian market)
- Biometrics Solutions and Projects Catalog
- Russian State Network (RSNet)
- Article:Unified Software Documentation System (SPDS).
- Government Data Transmission Network (SPDD)
- Unified Telecommunication Network of the Russian Federation
- Unified Portal of Public Services (FSIS EPGU)
- Gosoblako - State Unified Cloud Platform (GEOP)
- Gosweb Unified platform of Internet portals of state authorities
Import substitution
- Import substitution in the field of information security
- Review: Import substitution of information technology in Russia
- The main problems and obstacles to import substitution of IT in Russia
- Advantages of replacing foreign IT solutions with domestic ones
- Main risks of IT import substitution
- Import substitution of information technologies: 5 "For" and 5 "Against"
- How did IT import substitution affect the business of foreign vendors? A look from Russia
- How the launch of the register of domestic software influenced the business of Russian vendors
- What changes are taking place in the Russian IT market under the influence of import substitution
- Assessment of import substitution prospects in the public sector by market participants
Information Security and Cybercrime
- Cybercrime in the world
- NIST Requirements
- Global Cyber Security Index
- Cyber War, Cyber War of Russia and the USA, Cyber War of Russia and Great Britain, Cyber War of Russia and Ukraine
- Locked Shields (NATO Cyber Training)
- Cybercrime and cyber conflicts: Russia, Cyber military of the Russian Federation, FSB, National Coordination Centre for Computer Incidents (NCCCI), Information Security Center (CIB) FSB, Investigative Committee under the Prosecutor's Office of the Russian federation, Department of the BSTM of the Ministry of Internal Affairs of Russia, MINISTRY OF INTERNAL AFFAIRS OF THE RUSSIAN, Ministry of Defense of the Russian Federation, National Guard of the Russian Federation, FinCERT
- The number of cybercrimes in Russia, Russian hackers
- Cybercrime and cyber conflicts: Ukraine, Cyber UA30 Center, National Cyber Warfare of Ukraine
- Norwegian National Health System Data Protection Centre (HelseCERT)
- CERT NZ
- UZINFOCOM Department CERT-UZ
- Internet regulation in Kazakhstan, KZ-CERT
- Cybercrime and cyber conflicts: US, Pentagon, CIA, NSA, NSA Cybersecurity Directorate, FBI, US Cyber Command (US Cybercom), US Department of Defense, NATO, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Information Security in the United States
- How the United States spied on the production of microcircuits in the USSR
- Cybercrime and cyber conflicts: Europe, ENISA, ANSSI, Joint Cyber Unit, National Cyber Force
- EU cybersecurity strategy
- Internet regulation in EU countries
- Information security in Germany
- Information security in France
- Information security in Greece
- Information Security in Australia
- Tactical Edge Networking (Military Internet)
- Cybercrime and cyber conflicts: Israel
- Cybercrime and cyber conflicts: Iran
- Cybercrime and cyber conflicts: China
- Information Security in China
- Import substitution of information technology in China
- Cybercrime and cyber conflicts: DPRK
- Information security in Moldova
- Information Security in Japan
- Internet security
- Internet Site Security
- Software Security (SW)
- Web Application Security
- Messenger security
- Mobile Network Security Threats
- Social media security
- Cyberbullying (cyberbullying, cyberstalking)
- Information security in banks
- Information Security in Courts
- CERT-GIB Computer Emergency Response Team - Group-IB
- Bank card fraud
- Hacking ATMs
- Review: IT in Banks 2016
- Central Bank policy in the field of information protection (cybersecurity)
- Loss of organizations from cybercrime
- Bank losses from cybercrime
- IT trends in insurance (cyber insurance)
- Cyber attacks
- Threat intelligence TI cyber intelligence
- The number of cyber attacks in Russia and in the world
- Cyber attacks on cars
- Overview: Security of Information Systems
- Information security
- Information security in the company
- Information Security in Medicine
- Information Security in E-Commerce
- Information security in retail
- Information Security (Global Market)
- Information security (Russian market)
- Information security in Ukraine
- Information security in Belarus
- Top Trends in Information Protection
- Information Security Software (Global Market)
- Information Security Software (Russian Market)
- Pentesting (pentesting)
- Information Security - Encryption Tools
- Cryptography
- Security Incident Management - Issues and Solutions
- Authentication systems
- Personal Data Law No. 152-FZ
- Protection of personal data in the European Union and the USA
- Prices for user data in the cybercriminal market
- Bootkit
- Software and hardware vulnerabilities
- Jackpotting
- Ransomware virus (ransomware), Ramsomware, WannaCry, Petya/ExPetr/GoldenEye, CovidLock, Ragnar Locker, Ryuk, EvilQuest Ransomware for MacOS, Ransomware of Things (RoT), RegretLocker, Pay2Key, DoppelPaymer, Conti, DemonWare (ransomware virus), Maui (ransomware virus), LockBit (ransomware virus)
- Ransomware Protection: Does it exist?
- Big Brother (malware)
- MrbMiner (miner virus)
- Protection against ransomware viruses (ransomware)
- Malware (malware)
- APT - Targeted or Targeted Attacks
- TAdviser and Microsoft study: 39% of Russian SMB companies faced targeted cyber attacks
- DDoS and DeOS
- Attacks on DNS servers
- DoS attacks on content delivery networks, CDN Content Delivery Network
- How to protect yourself from a DDoS attack. TADetali
- Visual Information Protection - Visual Hacking - Peeping
- Honeypots (traps for hackers)
- Rootkit
- Fraud Detection System
- Catalog of Anti-Fraud Solutions and Projects
- How to choose an anti-fraud system for the bank? TADetali
- Security Information and Event Management (SIEM)
- Threat intelligence (TI) - Cyber Intelligence
- SIEM Solutions and Projects Catalog
- How is the SIEM system useful and how to implement it?
- Why SIEM is needed and how to implement TADparts
- Intrusion Detection and Prevention Systems
- Local Threat Reflections (HIPS)
- Protect sensitive information from internal threats (IPCs)
- Spoofing - Cyber attack
- Phishing, Phishing in Russia, DMARC, SMTP
- Stalker Software (spyware)
- Trojan, Trojan Source (cyber attack)
- Botnet Boats, TeamTNT (botnet), Meris (botnet)
- Backdoor
- Worms Stuxnet Regin Conficker
- EternalBlue
- APCS Safety Market
- Flood
- Information Loss Prevention (DLP)
- Skimming (shimming)
- Spam, Email Fraud
- Social engineering
- Telephone fraud
- Sound attacks
- Warshipping (Warship cyberattack)
- Antispam software solutions
- Classic file viruses
- Antiviruses
- Information security: protective equipment
- Backup system
- Backup System (Technology)
- Backup System (Security)
- Firewalls
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |