- Russian Hackers increased use of Artificial Intelligence (AI) in cyber attacks against Ukraine in early 2025.
- There were 3,018 cyber incidents reported in the first half of 2025, up from 2,575 in the latter half of 2024.
- Malware such as WRECKSTEEL and phishing campaigns targeting defense and government sectors have been observed using AI-generated tools.
- Russia-linked groups exploited vulnerabilities in Roundcube and Zimbra email software to steal credentials without user interaction.
- Attackers increasingly use legitimate services like Dropbox and Google Drive to host malware and phishing content, complicating defense efforts.
The Ukrainian State Service for Special Communications and Information Protection (SSSCIP) reported that Russian hackers have advanced their use of artificial intelligence in cyber attacks during the first half of 2025. These attacks affected various sectors in Ukraine, including military and local government institutions.
According to SSSCIP, 3,018 cyber incidents were recorded in this period, marking an increase from 2,575 incidents in the second half of 2024. The agency noted a rise in attacks targeting local authorities and military bodies, while incidents against government and energy sectors declined.
The agency highlighted the use of AI not only in generating phishing messages but also in developing malware. One example is the WRECKSTEEL malware, linked to the UAC-0219 group, used to target state administration agencies and critical infrastructure. “There is evidence to suggest that the PowerShell data-stealing malware was developed using AI tools,” SSSCIP stated.
Other phishing campaigns involve various threat actor clusters, including UAC-0218 distributing the HOMESTEEL malware through booby-trapped RAR archives, and UAC-0226 targeting defense innovation organizations with the GIFTEDCROOK stealer. Additionally, UAC-0227 targets local governments and infrastructure using phishing techniques to deliver Amatera and Strela Stealers. The Sandworm-associated UAC-0125 group sends emails impersonating security software to distribute a C# backdoor called Kalambur.
SSSCIP also reported that the Russia-linked group APT28 (UAC-0001) exploited security flaws in webmail applications Roundcube and Zimbra. These exploits, known as zero-click attacks, allowed attackers to steal credentials and contact information without user interaction by injecting malicious code through application programming interfaces.
“Another method…was to create hidden HTML blocks where login information stored in the browser would be auto-filled and then exfiltrated,” the agency explained.
The report confirmed that Russian cyber groups continue to coordinate their digital attacks with physical military actions, with Sandworm (UAC-0002) targeting areas such as energy, defense, internet providers, and research.
Furthermore, an increasing trend involves abusing legitimate online platforms like Dropbox, Google Drive, OneDrive, Bitbucket, and Telegram to host malware, phishing pages, or facilitate data theft. “The use of legitimate online resources for malicious purposes is not a new tactic,” SSSCIP noted, “However, the number of such platforms exploited by Russian hackers has been steadily increasing in recent times.”
For more information, visit the official SSSCIP report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Pepe, BONK, Trump Coin: Will 2025 End With New Memecoin Highs?
- ChatGPT Hits 800M Weekly Users, Expands Low-Cost Plan in Asia
- SoftBank’s PayPay Buys 40% Stake in Binance Japan, Plans Integration
- Shiba Inu Phishing Scam: Real Airdrops Lure Users to Fake Sites
- Musk Hires New xAI CFO as $20B Funding Sought, Banki Steps Down
