Russia-Ukraine Cyber War: Major Threat Actors and Attribution
- The DigitalBank Vault
- 3 hours ago
- 3 min read
Over the last year, Russian threat actors have leveraged a mix of old and new vulnerabilities—from a nearly seven‑year‑old Microsoft Office flaw exploited by the Solntsepek group to deliver Cobalt Strike beacons —to sophisticated spearphishing campaigns by state‑linked groups such as UAC‑0185 and UAC‑0063 using macro‑enabled documents to drop custom malware like Hatvibe and Cherryspy
They’ve also orchestrated large‑scale supply‑chain intrusions—for example compromising a contractor’s network to strike Ukraine’s state registers via the XakNet hacktivist front, exfiltrating and purging primary and backup databases —and even physically propagated malware via removable drives in Gamaredon’s GammaSteel campaigns against foreign military missions in Ukraine
Major Threat Actors and Attribution
GRU Unit 29155 (“Iridium”/Sandworm) has been formally indicted by the U.S. DOJ for pre‑invasion cyberattacks (including the destructive “WhisperGate” campaign) aimed at sowing distrust and disrupting Ukrainian government systems; these officers scanned and probed networks across 20+ countries before launching data destruction operations
Criminal–State Nexus: Microsoft reports a growing trend of Russian criminal networks infiltrating Ukrainian military devices, using stolen credentials and remote access tools to pivot into defense systems—illustrating how Moscow “outsources” parts of its cyberwarfare to mercenary hackers
Hacktivist Fronts: Groups like XakNet, often a cover for GRU‑linked operations, claim responsibility for disruptive hacks (e.g., December 2024 strike on 60 state registers) to mask true attribution and amplify panic within Ukraine
Exploitation of Vulnerabilities: Russia-Ukraine Cyber War: Major Threat Actors and Attribution
Office‑based Zero‑Day and N‑Day Exploits
In late April 2024, the Solntsepek group exploited a nearly seven‑year‑old Microsoft Office vulnerability to deliver Cobalt Strike payloads into Ukrainian targets. Malicious Office attachments leveraged the flaw to execute shellcode, stage Beacon installs, and establish encrypted HTTP(S) command‑and‑control channels for post‑exploitation tasks
Spearphishing & Macro‑Enabled Malware
UAC‑0185 Phishing Campaigns
CERT‑UA warned in December 2024 of UAC‑0185 spearphishing emails targeting Ukraine’s defense and security sector. These messages mimicked trusted correspondents, using weaponized Office macros that spawned remote access shells and moved laterally via stolen credentials
UAC‑0063’s Hatvibe & Cherryspy
In September 2024, Ukrainian CERT documented UAC‑0063 (linked to APT28/Fancy Bear) sending DOCX lures with embedded macros that drop an encoded HTA loader (Hatvibe) and the Cherryspy backdoor. Persistence was achieved via scheduled tasks, while communications were masked in HTTPS traffic
Supply‑Chain Compromise & Data Destruction
Attack on Ukraine’s State Registers
On December 20, 2024, XakNet compromised a contractor (NAIS) supplying Ukraine’s Ministry of Justice. After months of stealthy network mapping and C2 staging, attackers exfiltrated sensitive biometric, tax, and property records, then invoked destructive scripts to wipe both primary and off‑site backups—disabling e‑government services nation‑wide
Removable Media & Physical Vector Attacks
Gamaredon’s GammaSteel Campaign
Last week, researchers uncovered Gamaredon (aka Armageddon) dropping an upgraded “GammaSteel” payload via infected USB drives at a foreign military mission in Ukraine. The malware abuses autorun features, loads shellcode to disk, and beacons out over HTTP while evading AV through code obfuscation
Techniques & Tools Overview
Technique Area | Example TTPs / Tools |
Initial Access | Spearphishing attachments (T1566.001), Office exploits (T1204) |
Execution & Persistence | Macro‑enabled scripts (T1036), Scheduled Tasks (T1053.005) |
Credential Access | Credential dumping (Mimikatz), phishing for creds |
Lateral Movement | Inter‑host SMB/Remote Services (T1021), RDP harvesting |
Command & Control | Cobalt Strike Beacon, HTTPS/SOCKS tunneling |
Data Destruction | Custom wipers, SQL/OS drive wipe (T1485), database purge scripts |
Spoofing & Misdirection | Hacktivist fronts (Killnet, XakNet), false claims |
Supply Chain | Contractor network compromise, stolen certs |
Physical Media | Removable USB drives (T1092), autorun exploitation |
Mitigation Recommendations
Patch Management: Immediately remediate known Office flaws and fully update all endpoints
Email Defense: Enforce strict macro policies, deploy sandbox detonation for attachments, and train users on spearphish detection
Supply‑Chain Security: Vet and monitor third‑party contractor networks; segment and audit access to critical systems
Endpoint Hardening: Disable autorun for removable media, enforce application whitelisting, and deploy EDR solutions to catch novel wipers
Network Monitoring: Leverage behavioral analytics to spot abnormal C2 patterns, block known Beacon signatures, and throttle unusual DDoS‑like traffic
By understanding the evolving toolkit of Russian cyber actors—ranging from decades‑old software flaws to custom‑built data‑wipers and deceptive hacktivist fronts—defenders can better anticipate and neutralize the next wave of disruptive campaigns against Ukraine.