Russia’s digital warriors adapt to support the war effort in Ukraine … – CyberScoop
Russian and pro-Russian operatives continue to modify their hacking and influence operations aimed at Ukraine to extract intelligence and sway public opinion in favor of the war, Google researchers said in a report released Wednesday. The latest tactics include promoting highly produced YouTube videos as well as more traditional phishing campaigns.
Roughly 14 months after the Russian invasion of Ukraine, the cyber components of the Russian onslaught continues with nearly 60% of Russian-backed phishing campaigns targeting Ukraine, Billy Leonard, a security engineer with the Google Threat Analysis Group, wrote in an update on the most notable hacking campaigns the company observed between January and March of 2023.
The latest report includes new information operations from Russias elite hacking units as well as work from a group believed to be Belarusian, a staunch Russian ally. From traditional credential and intelligence gathering efforts to information operations aimed abroad and at Russian audiences to glorify war efforts, the ongoing cyber operations remain active and show signs of adaptations and new techniques, Leonard wrote.
One of Russias most prolific and elite hacking groups known widely as Sandworm, but tracked by Google as FROZENBARENTS continues to focus heavily on the war in Ukraine with campaigns spanning intelligence collection, IO, and leaking hacked data through Telegram, Leonard wrote. Believed to operate out of Russian Armed Forces Main Directorate of the General Staff, or GRU, Unit 74455, the group known best for its multiple successful Ukrainian power grid attacks and the NotPetya malware that racked up more than $10 billion in global damages maintains its perch atop the Russian-backed offensive hacking ecosystem.
FROZENBARENTS remains the most versatile GRU cyber actor with offensive capabilities including credential phishing, mobile activity, malware, external exploitation of services, and beyond, Leonard wrote. They target sectors of interest for Russian intelligence collection including government, defense, energy, transportation/logistics, education, and humanitarian organizations.
The group continues to exploit EXIM mail servers around the world, Leonard wrote, a tactic it has employed since 2019, according to a 2020 NSA advisory. Once compromised, the hosts have been observed accessing victim networks, interacting with victim accounts, sending malicious emails, and engaged in information operations (IO) activity.
FROZENBARENTS has also continued to target organizations associated with the Caspian Pipeline Consortium (CPC), one of the largest oil pipelines in the world that transports crude oil from Kazakhstan across Russian territory to the Black Sea, Leonard wrote. The group has targeted a range of unnamed Eastern European energy sector organizations using fake Windows update packages on a domain spoofing CPC that, if executed, loaded a variation of the Rhadamanthys malware that could then exfiltrate stored credentials, including browser cookies.
Dating back to December 2022, the group has also launced multiple waves of credential theft campaigns targeting Ukrainian defense industry, military and Ukr.net mail users, Leonard wrote.
The group has also been active in the information operation space, he said, creating online personas to push pro-Russian news and narratives and leak stolen data, Leonard wrote, such as the persona CyberArmyofRussia, or CyberArmyofRussia_Reborn.
Both the YouTube channel for CyberArmyofRussia, or CyberArmyofRussia_Reborn which was pulled down upon notification and the Instagram account had minimal engagement and a negligible number of subscribers or followers, Leonard wrote. The groups Telegram channel, launched April 1, 2022, remains robust, with frequent posts for nearly 23,000 subscribers. Google researchers assess that the channel was created and controlled by the elite hacking unit.
In several recent incidents, FROZENBARENTS compromised a webserver of the target organization and uploaded a webshell to maintain persistent access to the compromised system, Leonard wrote. The attackers then deployed Adminer, a single file PHP script for managing databases, to exfiltrate data of interest. Shortly after exfiltration, the data appeared on the CyberArmyofRussia_Reborn Telegram channel.
In another information operation, the Internet Research Agency notorious for its efforts to shape domestic U.S. opinion ahead of the 2016 presidential elections produced a series of YouTube Shorts, short-form videos akin to TikTok or Instagrams Reels. The group has focused particularly on narratives supportive of Russia and the business interests of Russian oligarch Yevgeny Prigozhin, especially the Wagner Group, Leonard wrote.
The U.S. Department of Justice indicted Prigozhin, a longtime associate of Russian President Vladimir Putin, in 2018 for his role in the IRA interference operation. He is currently wanted by the FBI.
The group was also promoting a new film by Aurum LLC, a film company partially owned by Prigozhin. This movie has a high production value and communicates narratives portraying the Wagner Group in a positive light, Leonard wrote.
Altogether, Moscow continues to leverage the full spectrum of information operationsfrom overt state-backed media to covert platforms and accountsto shape public perception of the war in Ukraine, Leonard wrote.
Smaller campaigns from other hacking groups caught Googles eye as well.
Another operation attributed to the GRU as well but perhaps a unit other than FROZENBARENTS has since April 2022 maintained a Telegram channel to promote and amplify narratives related to the use of biological weapons in Ukraine and how the United States is responsible for the proliferation of biological weapons around the world, Leonard wrote. This campaign involves a Russian-language Telegram channel and an English Substack newsletter, which has published only once.
APT28 known widely as Fancy Bear, and tracked as FROZENLAKE sent multiple large waves of phishing emails to hundreds of users in Ukraine in February and March, Leonard wrote. Part of the effort involved reflected cross-site scripting (XSS) on multiple Ukrainian websites, which represents a new tactic for the group.
A Belarusian-linked hacking campaign tracked as PUSCHA by Google but sometimes called UNC1151 andlinked to Belarus by Mandiantin November 2021 has consistently targeted users in Ukraine and neighboring countries throughout the war, Leonard wrote, typically targeting the i.ua and meta.ua webmail services. Leonard described the phishing campaigns as targeted, and focused on small numbers of users in Ukraine.
Written by AJ VicensAJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).
View post:
Russia's digital warriors adapt to support the war effort in Ukraine ... - CyberScoop
- Trump resumes weapons deliveries to Ukraine - politico.eu - July 10th, 2025 [July 10th, 2025]
- Russia batters Ukraine with more than 700 drones, the largest barrage of the war, officials say - AP News - July 10th, 2025 [July 10th, 2025]
- Unhappy with Putin, Trump and Congress move closer to Ukraine - The Washington Post - July 10th, 2025 [July 10th, 2025]
- Trump unloads on Putin after promising more military aid to Ukraine - NBC News - July 10th, 2025 [July 10th, 2025]
- Chinese father and son detained in Ukraine, accused of trying to smuggle out info on guided missile system - CBS News - July 10th, 2025 [July 10th, 2025]
- Ukraine's Zelenskiy to hold more meetings with US officials in Rome - Reuters - July 10th, 2025 [July 10th, 2025]
- Largest Russian Long-Range Drone Onslaught Of The War Rains Down On Ukraine - The War Zone - July 10th, 2025 [July 10th, 2025]
- Italy opens Ukraine rebuilding conference as doubts of US defense help remain - AP News - July 10th, 2025 [July 10th, 2025]
- Russia launches largest drone attack on Ukraine as Kyiv pushes US for air defense aid - ABC News - Breaking News, Latest News and Videos - July 10th, 2025 [July 10th, 2025]
- Trump Asked About Not Knowing Who Paused Ukraine Weapons: 'I Would Know' - Newsweek - July 10th, 2025 [July 10th, 2025]
- 'Trump should fire him': Jeffries reacts to Hegseth reportedly pausing Ukraine weapons - CNN - July 10th, 2025 [July 10th, 2025]
- Trump says U.S. will resume sending weapons to Ukraine after pausing last week - NPR - July 10th, 2025 [July 10th, 2025]
- How Ukraine is Adapting, Enduring, and Striking Back - War on the Rocks - July 10th, 2025 [July 10th, 2025]
- Trumps sudden shift on weapons for Ukraine takes the war back to square one - CNN - July 10th, 2025 [July 10th, 2025]
- Trumps Frustration With Putin Preceded Resumption of U.S. Weapons to Ukraine - The New York Times - July 10th, 2025 [July 10th, 2025]
- How I Changed My Mind About the War in Ukraine - learnliberty.org - July 10th, 2025 [July 10th, 2025]
- 2 killed, 16 injured as Kyiv slammed with drones, ballistic missiles in Russian mass attack against Ukraine for 2nd night in row - The Kyiv... - July 10th, 2025 [July 10th, 2025]
- Europe's top rights court finds Russia responsible for downing of MH17, rights abuses in Ukraine - Reuters - July 10th, 2025 [July 10th, 2025]
- Russian Minister Who Had Led Region Later Invaded by Ukraine Is Found Dead - The New York Times - July 8th, 2025 [July 8th, 2025]
- In Sumy, Ukraine, the front line is drawing near but we refuse to leave - Al Jazeera - July 8th, 2025 [July 8th, 2025]
- Ukraine war briefing: US to resume shipments of weapons for Ukrainian defence - The Guardian - July 8th, 2025 [July 8th, 2025]
- Trump embarrasses the Pentagon with a U-turn on Ukraine - The Economist - July 8th, 2025 [July 8th, 2025]
- Trump says U.S. will send more weapons to Ukraine - The Washington Post - July 8th, 2025 [July 8th, 2025]
- Trump says US will send more weapons to Ukraine - Reuters - July 8th, 2025 [July 8th, 2025]
- Trump to Resume Sending Weapons to Ukraine - WSJ - July 8th, 2025 [July 8th, 2025]
- Opinion | The Case for Cutting Off Weapons to Ukraine - WSJ - July 8th, 2025 [July 8th, 2025]
- US to send more weapons to Ukraine, Trump says - Al Jazeera - July 8th, 2025 [July 8th, 2025]
- 'We have to': Trump sending weapons to Ukraine after expressing disappointment with Putin - USA Today - July 8th, 2025 [July 8th, 2025]
- US backs Natos latest pledge of support for Ukraine, but in reality seems to have abandoned its European partners - The Conversation - July 8th, 2025 [July 8th, 2025]
- Trump says US will send more weapons to Ukraine: They have to be able to defend themselves - New York Post - July 8th, 2025 [July 8th, 2025]
- Macrons U.K. State Visit: Migrants and the War in Ukraine Are on the Agenda - The New York Times - July 8th, 2025 [July 8th, 2025]
- What Is Trump Trying to Do With Russia and Ukraine Now? - Slate - July 8th, 2025 [July 8th, 2025]
- Trump says US will resume weapon shipments to Ukraine days after pause - The Independent - July 8th, 2025 [July 8th, 2025]
- US to resume delivery of 'defensive weapons' to Ukraine, says Trump - France 24 - July 8th, 2025 [July 8th, 2025]
- Trump says he'll send Ukraine more weapons: "They have to be able to defend themselves" - Axios - July 8th, 2025 [July 8th, 2025]
- The doctor fighting for women's health on Ukraine's front line - BBC - July 8th, 2025 [July 8th, 2025]
- US envoy Kellogg to attend Ukraine aid conference in Rome - Reuters - July 8th, 2025 [July 8th, 2025]
- Donald Trump says US will send Ukraine more arms - Financial Times - July 8th, 2025 [July 8th, 2025]
- Russia and Ukraine trade drone strikes as Kyiv signs deals to boost drone production - AP News - July 8th, 2025 [July 8th, 2025]
- As Ukraine awaits stalled US weapons, Trump says he's 'helping a lot' in war with Russia - The Kyiv Independent - July 8th, 2025 [July 8th, 2025]
- Opinion | Trump Is Disappointed With Putin on Ukraine - WSJ - July 8th, 2025 [July 8th, 2025]
- Through Fire and Faith: Stories of Resilience in Ukraine - CityWatch LA - July 8th, 2025 [July 8th, 2025]
- How Trump Can Help Ukraine Win The War And Make Russia Pay For It - Forbes - July 8th, 2025 [July 8th, 2025]
- Kellogg, Umerov set to meet, discuss resumption of US military aid to Ukraine, Politico reports - The Kyiv Independent - July 8th, 2025 [July 8th, 2025]
- 'They have to be able to defend themselves' Trump says US will send additional weapons shipments to Ukraine, criticizes Putin - The Kyiv Independent - July 8th, 2025 [July 8th, 2025]
- 11 injured as Russia attacks Ukraine with hundreds of drones - ABC News - Breaking News, Latest News and Videos - July 6th, 2025 [July 6th, 2025]
- Russia hits Ukraine with largest aerial attack as Trump talks to Zelenskyy and Putin - NPR - July 6th, 2025 [July 6th, 2025]
- Trump has good conversation with Zelenskyy after heavy bombardment of Ukraine by Russia - The Guardian - July 6th, 2025 [July 6th, 2025]
- Opinion | Dont believe the conventional wisdom. Ukraine can still lose. - The Washington Post - July 6th, 2025 [July 6th, 2025]
- Ukraine hits Russian airfield day after mass wave of strikes - dw.com - July 6th, 2025 [July 6th, 2025]
- Trump Hints At New Sanctions On Russia Amid Ongoing Fighting With Ukraine - Radio Free Europe/Radio Liberty - July 6th, 2025 [July 6th, 2025]
- Russia to Involve Laos Troops in Its War Against Ukraine. Heres What We Know - UNITED24 Media - July 6th, 2025 [July 6th, 2025]
- Dutch intelligence services say Russia has stepped up use of banned chemical weapons in Ukraine - AP News - July 6th, 2025 [July 6th, 2025]
- Ukraine's top general warns of possible new Russian offensive in northeast - Reuters - July 6th, 2025 [July 6th, 2025]
- Ukraine's Zelenskiy says latest phone call with Trump his most productive yet - Reuters - July 6th, 2025 [July 6th, 2025]
- Russia launches hundreds of drones at Ukraine just hours after Putin-Trump call Europe live - The Guardian - July 4th, 2025 [July 4th, 2025]
- Hegseth halted weapons for Ukraine despite military analysis that the aid wouldnt jeopardize U.S. readiness - NBC News - July 4th, 2025 [July 4th, 2025]
- Trump says US has given Ukraine too many weapons in first public comments on pause in shipments - AP News - July 4th, 2025 [July 4th, 2025]
- Trump Says He Is Very Disappointed With Putin Conversation on Ukraine - WSJ - July 4th, 2025 [July 4th, 2025]
- Russia hammers Kyiv in largest missile and drone barrage since war in Ukraine began - AP News - July 4th, 2025 [July 4th, 2025]
- Ukraine war briefing: Trump says he didnt make any progress with Putin after call - The Guardian - July 4th, 2025 [July 4th, 2025]
- Ukraine looks to jointly produce weapons with allies as the US halts some shipments - AP News - July 4th, 2025 [July 4th, 2025]
- From Cooking on TV to Feeding the Front Line in Ukraine - The New York Times - July 4th, 2025 [July 4th, 2025]
- Ukraine scrambles to clarify extent of US military aid pause and 'whether everything will continue' - The Kyiv Independent - July 4th, 2025 [July 4th, 2025]
- Putin tells Trump he won't back down from goals in Ukraine, Kremlin says - Reuters - July 4th, 2025 [July 4th, 2025]
- How Ukraine can cope with the US pause on crucial battlefield weapons - AP News - July 4th, 2025 [July 4th, 2025]
- Putin says he won't back down from Ukraine goals in hour-long call with Trump - France 24 - July 4th, 2025 [July 4th, 2025]
- Ukraine kills one of the highest-ranking Russian officers of the conflict - CNN - July 4th, 2025 [July 4th, 2025]
- Trump allies caught off guard by Pentagons Ukraine weapons freeze - Politico - July 4th, 2025 [July 4th, 2025]
- Trump Says He Made No Progress On Ukraine-Russia War In Call With Putin - Forbes - July 4th, 2025 [July 4th, 2025]
- BBC Verify Live: Ukraine city strike caught on dashcam, and Mali militants attack town - BBC - July 4th, 2025 [July 4th, 2025]
- Putin tells Trump Russia won't back down from its war aims in Ukraine - The Kyiv Independent - July 4th, 2025 [July 4th, 2025]
- Top Russian naval commander latest general to be killed by Ukraine - The Washington Post - July 4th, 2025 [July 4th, 2025]
- Ukraine: Eighth Review Under the Extended Arrangement Under the Extended Fund Facility, Requests for Modification of Performance Criteria, Rephasing... - July 4th, 2025 [July 4th, 2025]
- The David Frum Show: Trumps Betrayal of Ukraine - The Atlantic - July 4th, 2025 [July 4th, 2025]
- Trump administration military aid halt will only encourage Russia, Ukraine warns - politico.eu - July 4th, 2025 [July 4th, 2025]
- Pentagon pause on arms shipments to Ukraine part of a global review of pressures on stockpiles - AP News - July 4th, 2025 [July 4th, 2025]
- Trump admits no progress on ending Ukraine war following call with Putin - MSNBC News - July 4th, 2025 [July 4th, 2025]
- Senior Russian commanders killed by Ukraine since start of the war - Reuters - July 4th, 2025 [July 4th, 2025]
- While the World Watched the Middle East, This Happened in Ukraine - The Moscow Times - July 2nd, 2025 [July 2nd, 2025]