What we know about Russian hackers — and how to stop them — after a year of cyberwar in Ukraine

Moscow's cyber operatives will target any nation supporting Ukraine, but a global coalition can win on the digital battlefield.
Supporters of Ukraine hold signs and wave flags during a Stand with Ukraine rally at Copley Square in Boston on Feb. 26. (Photo by JOSEPH PREZIOSO/AFP via Getty Images)

Since the beginning of 2022, when Russian hackers began to wage an intense cyberwar against our country, we have seen dozens of forecasts about how the events would unfold on the digital frontlines. Many predicted dire consequences for Ukraine as Russian hackers are considered among the most skilled in the world.

But most of those predictions vastly underestimated the resilience of Ukraine as well as the hackers, technologists and cyber strategists working together to counter Russian cyber operatives and their ongoing attacks. More than a year has passed and Ukraine has withstood Moscow’s cyber aggression. And we’ve managed to study our enemy’s techniques and tactics in cyberspace. This knowledge has become the foundation for an analytical report, Russia’s Cyber Tactics: Lessons Learned 2022, that is based on the experiences from the past year of warfare and what we expect to see from Moscow in cyberspace in the near future.

Russian hackers’ tactics are changing. For instance, there were many cyberattacks aimed at disrupting certain critical services prior to and at the beginning of Russia’s full-scale invasion of Ukraine. Those were also an instrument of informational and psychological warfare on Ukrainians designed to demoralize society.

Following the retreat of Russian troops from Kyiv, we started detecting an increasing number of attacks aimed at gathering information for espionage purposes. Russian military hackers are interested in any information they think can help Russia win this war. They prioritize quiet and long-term campaigns allowing them to stay inside systems and to maintain access data for as long as possible. This distinguishes them from so-called Russian “hacktivists” whose primary goal is informational impact, so they promptly disclose details of their attacks.


The countries that support Ukraine have also become targets for Russian military hackers and “hacktivists.” Their primary goals are to have a psychological impact on the democratic countries that support Ukraine. Given that, with a great deal of probability, we expect to see an increasing number of cyberespionage attacks, system infiltrations and data thefts in those countries.

Earlier this year, hackers attempted to spread spyware through phishing websites imitating official Ukrainian and Polish websites. That spyware was designed to take screenshots and enable data exfiltration. Furthermore, it also featured a task scheduler to ensure persistence. Attacks by experienced intelligence-related groups such as InvisiMole (associated by some with Russia’s foreign intelligence service) can go unnoticed for an extended period of time. Those are potentially the most dangerous types of operations. This is why government officials globally are at risk of being targeted by Russian cybercriminals. Any diplomat with access to sensitive data should be aware that they are in the crosshairs of Russian hackers.

No one can be sure that Russian hackers aren’t targeting them as Moscow is increasing its attacks on all sectors. We saw an increase in supply chain attacks through 2022, reaching a peak in the forth quarter. This trend continued into 2023, as well. Companies servicing the public sector and critical infrastructure operators such as software developers, internet service providers, etc., often fall victim to Russian hackers. Hence, protecting critical IT infrastructure is paramount.

Russian hackers are increasingly infiltrating systems by exploiting existing software vulnerabilities rather than through phishing attacks. By doing so, hackers are attempting to infiltrate as many systems as possible with plans to execute more invasive attacks in the future. These kinds of risks require all of us to remain vigilant, employ cyber hygiene practices and develop capabilities for patching vulnerable systems as soon as possible.

But we need to more than that if we are going to truly counter the growing cybersecurity threat coming out of Russia. We need to form a robust coalition of like-minded nations that stand up to Russia’s digital aggression, deploy the most aggressive sanctions against Russian President Vladimir Putin’s regime and to continue denying Russia access the latest technology, software and services that enable it to carry out its global campaign of cyberattacks and cyberwarfare on Ukraine and the rest of the world. 


Victor Zhora is deputy head of Ukraine’s State Service of Special Communication and Information Protection.

Latest Podcasts