This report presents the results of a research on current cyberthreats to the Commonwealth of Independent States (CIS) in 2023 and the first half of 2024.
Yana Avezova
Senior analyst, Research Group of PT Cyber Analytics
The digital status of the CIS
The Commonwealth of Independent States (CIS) was formed in December 1991 with the goal of fostering cooperation among several countries that were formerly part of the USSR. Today, it unites Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan, as well as Turkmenistan, which has the status of an associate member.
The region is undergoing a rapid process of digitalization. Many countries have developed their own national digitalization strategies and programs. As of today, the Internet penetration rate exceeds 70% in most CIS countries. For comparison, according to the Digital 2024: Global Overview Report, the global average is 66.2%. Only Moldova, Tajikistan, and Turkmenistan have Internet penetration rates below the global average.
The digital transformation of CIS countries is facilitated by investments that the region attracts thanks to its geographical location and political significance. China, for one, is working with the Central Asian countries to implement projects under the Digital Silk Road program, which includes the construction of new data transmission lines, data storage and processing centers, the development of satellite navigation and 5G networks, as well as the exchange of knowledge in the field of advanced technology. The European Union is also investing in the region. For instance, Armenia, Azerbaijan, and Moldova are participants in the EU's flagship initiative, EU4Digital, which supports digital transformation and economic growth in the Eastern Partnership countries. In early 2024, Moldova joined the Digital Europe program, which will allow the country to receive funding from the EU for digitalization projects. The World Bank is providing financial assistance to Central Asian countries within the framework of the Digital CASA (Digital Central Asia — South Asia) program. It aims to expand access to high-speed Internet, attract private investment, and develop electronic public services.
The flip side of rapid digitalization is a rising level of cybercrime. Given the political uncertainty and instability, developing robust cybersecurity is crucial for most CIS countries. Cybersecurity levels in CIS countries tend to align with their economic standing. Today, according to the NCSI2 index, Russia is the leader in terms of cybersecurity among the CIS countries. Tajikistan and Turkmenistan have the lowest cybersecurity indices among the CIS countries.
- Source: datareportal.com
- Rankings that reflect readiness to prevent cyberincidents and withstand cyberthreats at a national level.
Primary hotspots of cybercrime
Cybercriminals' interest in the CIS countries is growing quarter by quarter. In the second quarter of 2024, recorded attacks increased 2.6 times year on year (see Figure 3). According to our data, 73% of all attacks targeting CIS organizations were directed at Russia. Kazakhstan (8%) and Belarus (7%) ranked second and third, respectively. The significant number of dark web ads offering to buy, sell, or give away data and services relating to Russia, Belarus, and Kazakhstan provides strong evidence of cybercriminals' interest in these countries. For more details, please refer to An analysis of dark web platforms.
Russia
Russia is an active proponent of international cooperation in the field of cybersecurity, signing agreements with other countries, including those of the CIS. The nation has established and operates Computer Emergency Response Teams (CERTs) to respond to cyberincidents, and it is planning to create a similar center focused on artificial intelligence. In November 2023, Russia adopted the Communications Industry Development Strategy until 2035. The document outlines a transition to trusted, Russian-certified information security tools, the development of a state center for detecting, preventing, and mitigating the consequences of cyberattacks, and the development of a unified centralized system to protect against distributed denial-of-service (DDoS) attacks, among other cybersecurity initiatives.
Russia has faced the brunt of cyberattacks within the CIS. A staggering 73% of all cyberattacks targeting CIS countries in 2023 and the first half of 2024 were directed at Russia. The significant increase in attacks on Russian organizations since 2022 is attributed to the geopolitical situation. Today, Russian entities are under siege from dozens of cyberespionage, hacktivist, and financially motivated groups.
The sectors most frequently targeted by these attacks include industry (11%), telecommunications (10%), government agencies (9%), and IT companies (7%). Social engineering remains the predominant attack method (56%). Malware was used in half of all attacks, and vulnerabilities were exploited in each third attack. Among malware attacks, information stealers were used in 40%, remote access trojans in 31%, and ransomware in 25%. Nearly half (49%) of all attacks resulted in the leakage of confidential information, while 31% disrupted organizations' core operations.
Kazakhstan
Kazakhstan currently ranks seventy eighth in the NCSI, behind Belarus, Moldova, Azerbaijan, and Russia. The country is taking measures to increase its cyber-resilience. In March 2023, the government of the Republic of Kazakhstan approved the Concept of Digital Transformation, Development of the ICT Industry, and Cybersecurity for 2023–2029. According to the document, it plans to further develop the National Coordination Center for Cybersecurity, which was previously created under the Cybershield of Kazakhstan program. As part of this program, the government also plans to create a cyberrange for training information security professionals.
In 2023 and 2024, the most frequent victims of cybercrime in Kazakhstan were media outlets (19%), government agencies (12%), financial organizations (12%), and telecommunications (7%). The high proportion of attacks on the media is due to the wave of DDoS attacks that has hit Kazakh media outlets since November 2023. Cyberattacks were directed at least at nine independent media outlets and the accounts of several journalists in messaging services and social media. To address the growing number of attacks on Kazakh media, Kazakhstan held a roundtable titled, "Information Security of the Media: How to Protect Journalism from Hacker Attacks" in late December 2023.
Two-thirds of all attacks on Kazakhstan (65%) were associated with the use of malware, and in every second (53%), social engineering methods were used. More than a third of attacks (35%) resulted in the leakage of confidential information. Personal data and account credentials were in the highest demand. Experts at the national computer incident response service KZ-CERT named infostealers that attackers used to steal personal data: ReadLine, Vidar, Raccoon, and Azorult.
Belarus
Belarus ranks seventieth in the NSCI, trailing only Moldova, Azerbaijan, and Russia among the CIS countries. In February 2023, Belarus and Russia jointly approved a resolution on cooperation in information security, aimed at defending against external threats, ensuring information security, and strengthening the security system of their Union State. Also in February 2023, the president of Belarus signed Decree No. 40 On Cybersecurity, establishing a national cybersecurity system. For about 14 years, the National Traffic Exchange Center (NTEC) has been operating in the country, with a primary objective of developing a unified national data transmission network. NTEC is a major player in the European telecommunications market and is actively expanding its geographic reach.
Every fifth cyberattack (22%) in Belarus targeted government agencies, followed by industry (14%). Three-quarters of attacks (76%) used malware, and half (57%) resulted in the leakage of confidential data.
The most significant threat to Belarusian organizations comes from cyberespionage groups such as XDSpy, Sticky Werewolf, Lazy Koala, and others (see Figure 20). In early 2024, Avast, the company that owns the CCleaner computer cleaning tool, ceased providing services in Russia and Belarus, rendering the program inoperable in these countries. The cybercrime gang Sticky Werewolf took advantage of the situation, launching a phishing campaign targeting Belarusian organizations. During this campaign, the Ozone RAT was distributed under the guise of CCleaner.
In addition to cyberespionage, another major threat to Belarusian organizations is attacks by the Cyberpartisans group. The Cyberpartisans are hacktivists affiliated with the opposition movement in Belarus. In late 2023, they claimed to have hacked the website of the state news agency BelTA, reporting the theft of 90 GB of confidential information, including employees' personal data. In April 2024, the hacktivists claimed an attack on the country's largest state-owned fertilizer producer, Grodno Azot, due to its alleged involvement in political repression, evasion of sanctions, and human rights abuses. The attackers posted evidence of the breach on their Telegram channel. They claim they could have shut down the plant completely but refrained from doing so.
Victims and consequences of attacks
In 2023 and the first half of 2024, government agencies (18%), manufacturing (11%), and telecommunications (10%) faced the highest number of attacks in the CIS countries. These three sectors are of the greatest interest to malicious actors for several reasons. Firstly, organizations in these industries are strategically important for a country's economy, making them prime targets for cyberattacks in times of geopolitical tension. Secondly, government, industrial, and telecommunications companies store large volumes of sensitive information, primarily personal data and trade secrets. These are targets for a wide range of threat actors, from data brokers on the dark web to state-sponsored cyberspies gathering intelligence.
The main consequences of successful attacks on organizations are data breaches (41%) and disruption of core operations (37%). Attacks on individuals resulted in data breaches in 69% of cases and direct financial losses in 32%.
Personal data and trade secrets together accounted for over half of all data stolen from organizations (30% and 29%, respectively).
Government
Government institutions accounted for 18% of all attacks on organizations in the CIS. Nearly two-thirds (62%) of successful attacks on government institutions in the CIS relied on malicious software, and 57% of attacks employed social engineering techniques. Every fifth attack on government institutions (19%) is a DDoS attack. As a rule, DDoS attacks intensify on the eve or on the day of a significant political or social event. For example, on the day the Dictation of Victory campaign began, a large number of DDoS attacks targeted the United Russia party's services. During the Russian presidential elections, a large number of attempted DDoS attacks on government websites were also recorded. For example, an attack on the election video surveillance portal caused a temporary outage.
Government institutions store vast amounts of confidential data, ranging from personal information of citizens to information relating to national security. A leak of confidential data occurred in 42% of attacks on government institutions. First and foremost, government institutions attract the attention of cyberespionage groups: almost all of them have attacked government organizations at least once. Below, we will discuss in more detail which cyberespionage groups operate in the CIS.
In 27% of attacks on government institutions, websites were the targets. Government websites receive high levels of traffic, so they are of interest to various groups of attackers. Hacktivists, for example, often deface government websites to post political or other slogans. APT groups can use government websites for watering hole attacks. For example, in the summer of 2023, the YoroTrooper APT group hacked several government websites in Tajikistan and placed malicious software on them.
In 28% of attacks, the interests of states were harmed, and 22% led to disruption of government institutions' activities. For example, in February 2024, as a result of a cyberattack on Moldova Post, its postal and financial services were unavailable for about a day, which led to queues at post offices. In April 2023, a cyberattack on the Federal Customs Service of Russia led to disruptions in the operation of the customs' electronic services and hindered customs operations: in particular, the registration of customs declarations was suspended. Incidents like these are non-tolerable events for government institutions, as they undermine public trust and increase social tension in the country.
Industry
The industrial sector is exposed to a high risk of being targeted by cyberattacks year after year, and the CIS countries are no exception. Industrial and manufacturing companies account for 11% of all attacks in this region. Eight out of ten attacks on industrial facilities (79%) used malware. In 42% of these cases, info stealers were employed, in 37% remote access trojans, and in 26% ransomware.
The primary goals of cybercriminals targeting this sector are industrial espionage, extortion, and disruption of industrial processes. A whopping 73% of APT groups operating in the CIS have attempted to penetrate the infrastructure of industrial companies. Phishing emails with malicious attachments are often their initial point of entry. The bait typically includes various official documents, such as fake orders, contracts, invoices, and reconciliation statements. Sometimes, cybercriminals exploit vulnerabilities in the network perimeter. In the fall of 2023, the PT CSIRT team investigated a cybersecurity incident at a Russian energy company. They discovered that attackers had gained access to the infrastructure through a Citrix NetScaler Gateway remote access application. This was allegedly done by exploiting the CVE-2023-3519 vulnerability.
In addition to cyberspies, financially motivated cybercriminals, such as the Shadow ransomware gang, also known as Comet and DARKSTAR, have been infiltrating the infrastructure of industrial companies through vulnerable publicly available services. These attackers encrypted systems using the notorious LockBit Black ransomware and demanded ransoms of up to $1 million for data recovery.
According to Sophos' annual research, 56% of industrial companies faced ransomware attacks in 2023, and this figure rose to 65% in 2024. Ransomware attacks and those carried out by politically motivated cybercriminals aimed at destroying infrastructure pose a particular threat to industry, as they can disrupt production and even cause equipment failures. For example, in July 2023, there were reports of a cyberattack on a regional warehouse of a pharmaceutical company in Primorsky Krai, which resulted in a major pharmacy chain in Vladivostok halting the dispensing of all medications, including subsidized drugs.
Telecommunications
Telecom companies have been the target in one out of every ten cyberattacks against organizations. The primary threat to telecom in the CIS region is DDoS attacks: 43% of all attacks on the industry. This surge in DDoS attacks against telecom is primarily driven by politically motivated hacktivists aiming to disrupt quality communication services for major geopolitical players. Here are just a few recent examples. In the spring of 2024, Russian carrier service provider MTS experienced a powerful DDoS attack originating simultaneously from five countries. Although the attack was repelled, if successful, it would have left MTS subscribers in an entire region without Internet access. In June 2024, the Russian telecom operator PAKT reported a massive DDoS attack on its infrastructure that lasted for two days. During the attack, services were unavailable for some of the company's customers.
Sixty-eight percent of attacks on telecom companies led to disruptions in their core operations. Outages at Internet service providers affect millions of subscribers and disrupt business processes for the attacked operator's clients. For instance, in June 2023, the pro-Ukrainian group Cyber.Anarchy.Squad claimed responsibility for an attack on the Russian telecom operator Infotel, which provides communication services between commercial banks and the Central Bank of Russia. According to the attackers, the attack damaged network equipment and caused a service outage of more than a day. Also in June 2023, another group of attackers claimed to have targeted the Russian satellite communication operator Dozor-Teleport, which serves fuel and energy companies. The cybercriminals asserted that they managed to disable some satellite terminals, reboot network equipment, and destroy information stored on the company's servers, and they also posted 700 files stolen from the victim on their sites. Such attacks lead to significant financial and reputational losses, and recovery can take anywhere from a few days to several months.
It is also important to note that telecom companies' servers store and process large amounts of data. As a result, one in four attacks on telecom companies resulted in the leakage of confidential information. Attackers can control the compromised provider's infrastructure for months or even years, regularly downloading valuable data from it. For example, in February 2024, after the publication of confidential data of the Chinese company iSoon on GitHub, it was revealed that attackers had full access to the infrastructure of Kazakh telecom operators for more than two years. The attackers gained access to vast amounts of various information, including personal and account data of subscribers.
Who is attacking the CIS, and how
Malware and social engineering remain the primary attack methods both globally and in the CIS. However, we have identified a distinctive regional characteristic: the proportion of DDoS attacks on organizations in the CIS is significantly higher than the global average: 18% in the CIS versus 8% worldwide. This disparity in the cyberthreat landscape is linked to the tense geopolitical situation. It has given rise to a large number of new hacktivist groups, which are forming alliances to carry out massive DDoS attacks, primarily targeting organizations in Russia.
Use of malware
Malware attacks dominated the year 2023 and the first half of 2024. We have observed spikes in malware attacks at the beginning and end of 2023. In the first quarter of 2023, this was primarily due to the activities of ransomware gangs, while the fourth quarter saw high activity from cyberespionage groups. This primarily refers to the groups XDSpy, Core Werewolf, Sticky Werewolf, Cloud Atlas, and Hellhounds, which we will discuss further.
The most common attack scenario targeting organizations involves phishing emails with malicious attachments. In fact, this method was used to deliver malware in 74% of cases. Cybercriminals have often used documents related to current political events as bait. For instance, in order to deliver the Headlace backdoor in mid-2023, the APT28 group sent phishing emails to Azerbaijani organizations containing a fifteen-page plan to promote ties between Belarus and Azerbaijan. Conflicts arising from territorial disputes have also become common themes for phishing emails. To capture the attention of recipients in Azerbaijan and Armenia, cybercriminals actively exploit the ongoing conflict between these countries over the Nagorno-Karabakh region. In August 2023, FortiGuard Labs detected a malicious email campaign targeting Azerbaijani organizations that used fake photos depicting aggression from Armenia. Viewing these images would download spyware onto the victim's computer. In September 2023, international airports and government agencies in Armenia were targeted by malicious emails purportedly from the National Security Service, warning of a possibility of a new war with Azerbaijan. These emails delivered AsyncRAT malware to control victims' computers remotely.
Malware primarily infects personal devices when users visit compromised websites (65%), as well as through phishing emails (18%) and messaging apps (18%).
In cyberattacks targeting the CIS region, spyware has been the most prevalent type of malware: it was used in 41% of attacks on organizations and 53% of attacks on individuals. Among the most common infostealer families are Agent Tesla, XDigo, Azorult, Raccoon, Formbook, and RedLine. According to ANY.RUN, the RedLine infostealer ranked first in terms of detection frequency in the second quarter of 2024. In the CIS, RedLine and its fork MetaStealer are used in attacks by cyberespionage groups ReaverBits and Sticky Werewolf, as well as the financially motivated group VasyGrek, also known as Fluffy Wolf.
Cybercriminals also frequently use remote access trojans. In malware attacks on organizations, they accounted for 37%, and in attacks on individuals for 24%. A common example of remote access malware is the Remcos trojan, or Remote Control and Surveillance. Originally a legitimate program, it is now widely used by attackers as a remote access tool. Remcos ranks among the most downloaded trojans on ANY.RUN. The Threat Intelligence team at the PT Expert Security Center (PT ESC) regularly detect phishing campaigns aimed at delivering Remcos to organizations in the CIS. For instance, in January 2024, they identified a phishing campaign targeting organizations in Moldova and Belarus. Attached to the emails was a document disguised as a SWIFT payment document. It contained a VBS macro that, after several iterations, launched the Remcos backdoor. In addition to Remcos, backdoors like njRAT, DarkCrystal, NetWire, and Quasar have also been actively used in attacks on the CIS.
Cyberespionage group attacks
In the context of a complicated geopolitical situation, attacks by cyberespionage groups, including advanced persistent threat (APT) groups, pose one of the most acute threats to the CIS countries. They account for 18% of all successful attacks. Government institutions, industry, science, and education are the most common targets. Organizations in these sectors can provide attackers with the maximum amount of valuable information, which makes them prime targets for cyberespionage.
In 2023 and 2024, cybergangs that have been active for many years, such as XDSpy and Cloud Atlas, continued to operate in the region. However, in addition to long-standing groups, new ones have emerged over the past two years, including Lazy Koala, YoroTrooper, Sticky Werewolf, Hellhounds, and (Ex)Cobalt. Below is a brief overview of the 15 cyberespionage groups that have been most active in attacking CIS countries during this period.
XDSpy
XDSpy has been active since at least 2011. Primarily targeting organizations in Russia, Belarus, and Moldova, it has been attacking various sectors across the CIS region. Its attacks employ a namesake information stealer, distributed through phishing campaigns. Examples of malicious attachments from these campaigns were featured in one of our quarterly reports.
Cloud Atlas
The Cloud Atlas threat actor has been operating since at least 2014. Targeting a wide range of sectors and countries worldwide, including the CIS, their phishing campaigns are regularly detected by the Threat Intelligence (TI) team at the PT ESC. In April 2023, the attackers sent emails to large Russian organizations, posing as requests for support in the Special Military Operation. The document employed the Template Injection technique, which our experts have previously discussed. In late 2023, colleagues recorded Cloud Atlas phishing campaigns targeting a Russian state-owned research company and an agri-industrial company. From February to March 2024, the group launched at least five attacks on government institutions in Russia and Belarus. These attacks involved phishing emails with attachments that downloaded malicious templates from a remote server.
APT31
APT31 has been known since 2016, targeting organizations in Europe, Canada, and the US at different times. In the spring and summer of 2024, cyberespionage campaigns against Russian organizations were detected. The cybercriminals used a variety of tools, including the new backdoor CloudSorcerer. The spring campaign primarily used public cloud services as C&C servers for the backdoor. In July, the cybercriminals used a trojan known since 2021, an updated CloudSorcerer backdoor, and a previously unknown implant whose code is similar to the Clambling backdoor by the APT27 group.
Space Pirates
Space Pirates was discovered by PT ESC in late 2019. The group has been operating since at least 2017. Throughout 2023, the attackers intensified their activity against Russian companies. The TI team at the PT ESC have observed that since the group was discovered, it has hardly changed its tactics or techniques, but has developed new tools and improved old ones. Among the victims in 2023, PT ESC TI identified government and educational institutions, security companies, industrial companies, and fuel and energy companies, as well as companies engaged in information security.
Core Werewolf
The Core Werewolf group was first discovered in 2021. Its targets are Russian organizations in the military-industrial complex and critical information infrastructure. The attackers send phishing emails with malicious attachments disguised as various documents: orders, resumes, or guidelines. For example, at the end of 2023, during the investigation of one incident, the PT CSIRT team discovered an email from the phishing domain fstec[.]support and addressed from FSTEC. The attachment to the email is a self-extracting archive with the UltraVNC remote access software client.
YoroTrooper
The YoroTrooper group first came to the attention of cybersecurity experts in mid-2022. To date, their targets have been limited to CIS countries. Between May and August 2023, the attackers hacked several government websites and compromised accounts belonging to key government officials in these countries. The group has made efforts to hide its origins by hosting most of its infrastructure in Azerbaijan.
(Ex)Cobalt
The name (Ex)Cobalt was given to the Cobalt group, known since 2016, after the cybercriminals shifted their focus from financially motivated attacks to cyberespionage a few years ago. In 2023, the PT ESC team investigated attacks by cybercriminals targeting Russian organizations. Experts also discovered a previously unknown backdoor, GoRed, which is used by the (Ex)Cobalt group.
Sticky Werewolf
Since at least April 2023, organizations in Russia and Belarus have been under attack by the previously unknown group known as "Sticky Werewolf". The first identified attacks targeted government agencies, but the group subsequently expanded its activities to other sectors. As an initial vector, attackers carry out phishing campaigns with malicious attachments disguised as various documents: warnings, statements, summons, or orders. The group's arsenal receives regular updates. For example, in 2023, it delivered the remote access trojans NetWire, Darktrack, Ozone RAT, and the infostealer MetaStealer (a variant of RedLine) to victims' computers. In 2024, the group began using the infostealers Glory and Rhadamanthys.
Mysterious Werewolf
Mysterious Werewolf group first came to light in 2023. In early October, the TI team at the PT ESC discovered phishing emails exploiting the CVE-2023-38831 vulnerability in WinRAR. Victims who opened the malicious attachments were infected with the Athena agent, part of the Mythic framework. Analysts at Cyble described this campaign, and later in November, BiZone expanded on the description and named the group "Shadow Wolf". The group exclusively targets Russian organizations. In one of their latest campaigns, the attackers used their own RingSpy backdoor, controlled via a Telegram bot and providing remote access to compromised devices.
SneakyChef
This group has been active since 2023. Their attacks leverage the SugarGh0st trojan, an improved modification of the well-known Gh0st trojan, whose source code was publicly released in 2008. In November 2023, the Cisco Talos research group published a report detailing a cyberattack on Uzbekistan's Ministry of Foreign Affairs using SugarGh0st. In December 2023, experts with the National Coordination Center for Information Security of Kazakhstan identified a phishing campaign aimed at infecting a Kazakh government agency with SugarGh0st. In June 2024, Cisco Talos shared details of a new campaign by SugarGh0st operators, naming them SneakyChef. The group targets government organizations through phishing emails. They craft bait from scanned government documents mostly relating to foreign ministries and embassies.
Hellhounds
In November 2023, the PT ESC team described attacks by a previously unknown group named "Hellhounds", specifically targeting the infrastructure of Russian companies. The attacks utilized a modified version of the Decoy Dog backdoor, which became the group's flagship tool. Throughout 2024, the group continued to actively target Russian companies, with the number of victims reaching 48 by the second quarter. These victims primarily included IT companies, government agencies, and industry.
ReaverBits
The group was discovered in January 2024. The attackers sent phishing emails to Russian companies, impersonating various organizations including government ministries. The initial emails date back to December 2023. Through these phishing emails, the group distributed the MetaStealer spyware, a fork of the widely used RedLine infostealer commonly employed in attacks targeting the CIS region.
PhantomCore
A new cyberespionage group, dubbed PhantomCore, has been aggressively targeting Russian companies since January 2024. The attackers are sending out phishing emails exploiting the CVE-2023-38831 vulnerability, but instead of ZIP archives, they are using RAR archives. Victims are infected with a previously undocumented remote access trojan, PhantomRAT. The lures used include various official documents such as contracts, reconciliation statements, or invoices. In June 2024, the TI team at the PT ESC detected PhantomCore phishing campaigns targeting Belarusian institutions.
Lazy Koala
The Lazy Koala cybercrime group was first discovered by PT ESC TI team investigating a series of attacks targeting government structures in several CIS countries during the first quarter of 2024. Through phishing campaigns, the group distributed the LazyStealer malware, designed to steal credentials from browsers and then send them to a Telegram bot. In addition to government agencies, the attackers' targets include the financial sector, healthcare organizations, science, and education. In May 2024, PT ESC TI recorded new attacks on Azerbaijan, Belarus, and Uzbekistan. In the attacks on Azerbaijan and Belarus, the attackers changed the format of the messages sent to the bot and changed their nickname from Koala to Capybara, while in the attacks on Uzbekistan, a hosting service was used instead of a Telegram bot.
Sapphire Werewolf
The Sapphire Werewolf group has been active since March 2024, launching over 300 attacks on Russian organizations across various sectors. To steal data, the threat actors employ Amethyst, a custom-developed tool built upon the open-source infostealer SapphireStealer. They distribute this malware via phishing emails, disguising malicious attachments as various legal documents.
MITRE ATT&CK tactics and techniques heatmap
Hacktivist attacks
Our data shows that 26% of cyberattacks against CIS in 2023 and 2024 were carried out by hacktivists. These are cybercriminals who are motivated by political or social causes. For instance, in February 2023, pro-Ukrainian hacktivists breached dozens of Russian organizations' websites and defaced them with videos depicting the Kremlin on fire.
We analyzed the methods of 24 hacktivist groups that were most active in CIS countries over the past two years. Many of them aim to completely destroy compromised infrastructure by encrypting or deleting data.
Eight hacktivist groups specialize in DDoS attacks. Their primary motivator is usually geopolitics. However, any event that causes a public outcry can be a trigger for denial-of-service attacks. For example, in May 2024, after a conflict between Kyrgyz and foreign students in Bishkek, several hacktivist groups launched DDoS attacks on various organizations in Kyrgyzstan, presumably in protest against the mistreatment of foreign students.
Hacktivists have primarily targeted telecommunications companies (23%) and government institutions (17%). By disrupting government services, they aim to erode public trust and stir up social unrest. This was clearly demonstrated in June 2024 when the BO Team hacked the Ulyanovsk administration, crashing their website and spreading false protest invitations to local citizens.
Typically, hacktivist attacks on government organizations intensify before significant political events. For instance, the Nebula group claimed an attack on Russia's election infrastructure ahead of the presidential elections in March 2024.
Attacks by financially motivated ransomware operators
In the CIS, one in five (22%) attacks on organizations using malicious software involves ransomware, and 88% of these attacks are financially motivated. This is due to the potential for high ransoms that can be extracted from victims. Today, ransomware attacks remain one of the most profitable forms of cybercrime not only in the CIS but also worldwide. The amounts of ransom that ransomware operators demanded from compromised organizations in the CIS in 2023 and 2024 ranged from several hundred thousand to several hundred million RUB. The largest ransom, $1 million, was demanded from a Russian bank.
Multi-extortion ransomware attacks are on the rise in CIS countries. In these attacks, cybercriminals employ multiple tactics to coerce victims into paying a ransom. We most commonly encounter double extortion attacks, where cybercriminals not only demand a ransom for decrypting data but also threaten to leak or sell stolen corporate information if the victim fails to pay up.
Industrial and manufacturing companies were the most frequent targets for ransomware attacks, accounting for 21% of the total. A recent notable incident involved an attack on Tkachev Agri-Industrial Complex, one of the largest agricultural producers in Russia. In April 2024, cybercriminals infiltrated the company's infrastructure, disrupted operations, and demanded a ransom of 500 million RUB.
Transportation, financial institutions, and IT companies are the second most common targets of financially motivated ransomware attacks, each accounting for 9% of victims. Disruptions to logistics processes are a non-tolerable event for the transportation industry, making these companies highly motivated to restore operations as quickly as possible. This increases the likelihood of attackers receiving a ransom payment. Financial and technology companies, with their deep pockets, are also attractive targets for financially motivated attackers. Additionally, IT companies are targeted due to a potential for trusted relationship attacks, where cybercriminals can gain access to their clients' networks through IT service providers.
A number of groups targeting the CIS encrypt data using their own unique malware. Over the past few years, certain events have helped to lower the barrier to entry into ransomware attacks. In 2021, the source code for the Babuk ransomware was leaked, and in 2022, the source code for Conti and the LockBit Black (3.0) builder became publicly available. This has led to an increase in ransomware attacks and the emergence of new hacker groups specializing in these.
The most common way ransomware gets into organizations (57%) is by compromising the network perimeter. This often involves exploiting vulnerabilities in publicly accessible applications like Microsoft Exchange and Zimbra email servers. Additionally, attackers can gain access through remote access services, such as RDP and VPN, using legitimate credentials purchased from dark web marketplaces.
A whopping 36% of ransomware attacks begin with a simple phishing email. For example, the Werewolves group launched mass phishing campaigns in the first quarter of 2024 by sending out malicious documents disguised as letters of claim and reconciliation statements to Russian businesses. They targeted industry, finance, and telecommunications industries.
Phishing attacks and scams
A staggering 48% of attacks on businesses and 92% of attacks on private individuals involved social engineering tactics. For private individuals, the most common social engineering techniques involved fraudulent websites (45%) and scammers on messaging platforms (42%). The scale of this problem is immense, as evidenced by the Bank of Russia's report. In 2023 alone, the regulator reported to telecommunications operators over 575,000 phone numbers used by scammers to steal money from the public. Additionally, the agency blocked nearly 43,000 fraudulent websites and social media pages. It is important to note that scammers are constantly evolving their techniques, creating new and more sophisticated ways to deceive their victims.
Credential theft through phishing emails
PT ESC TI regularly detects phishing campaigns aimed at harvesting credentials of employees from various organizations across the CIS. Let us consider a few examples. We will discuss the most interesting phishing emails sent to organizations in the CIS, which were detected by
PT ESC TI in the first half of 2024.
In January, the TI team at the PT ESC discovered a phishing email sent to an Armenian bank, requesting the recipient to sign documents. The email contained a button to view the documents, which, when clicked, redirected the victim to a phishing page with a form for entering credentials. The victim's login was already pre-filled in the form, and only the password needed to be entered.
Similar phishing campaigns targeting Russian organizations were observed in February and March. These attacks also involved requests to sign documents via DocuSign. Phishing links were hidden inside QR codes, which, when scanned, led to fraudulent login pages with the victim's username already pre-filled.
In the second quarter of 2024, two emails were discovered that were sent to banks in Belarus. Both emails contained PDF files with document thumbnails that included links to phishing pages with fake login forms for entering usernames, passwords, and phone numbers.
A common theme in phishing emails aimed at stealing credentials is a demand to change your password under the pretext of its expiration. In February, the TI team at the PT ESC discovered a similar email sent to a Russian organization. The link in the email led to a phishing page that copied the Roundcube Webmail login page.
In June 2024, the TI team at the PT ESC discovered a phishing email demanding a password change which was sent to an organization in Kazakhstan. The password update form was located in an HTML file attached to the email, which the user was supposed to open. The data entered by the victim into this form was sent to the URL of the legitimate service formspark.io for filling out various types of forms and ended up in the hands of attackers.
Another example is a phishing email sent to a Russian fuel and energy company. The email included a phishing HTML page—Maersk Line Shipping Document.XLS.html. When the victim opened the file, they were presented with a fake login page. This page was designed to look like a legitimate Maersk Line website, a Danish logistics company specializing in container shipping. Any information entered into the form was sent to a data harvesting service.
(Un)paid taxes
Taxes have long been a popular theme for social engineering attacks. Fraudsters often promise to refund paid taxes or to notify individuals about outstanding tax debts. By impersonating tax officials or bank employees, they trick victims into revealing personal, account, or banking details, threatening them with fines or account freeze. In August 2023, the Belarusian Ministry of Taxes and Duties reported a surge in fraudulent calls from individuals claiming to be ministry employees, seeking to verify passport details. In January of the same year, the Russian Federal Tax Service issued a warning about a wave of phishing emails. In February, Russians received an alert of yet another phishing campaign, this time involving emails demanding payment for a non-existent "Special Military Operation tax".
It is important to note that cybercriminals employ tax-related scams not only against individuals but also against businesses. At the beginning of the year, organizations in Kazakhstan began receiving fake email warnings about tax violations. This phishing campaign coincided with the end of the country's moratorium on tax audits for small and medium-sized businesses. The emails contained a malicious PDF document that installed remote access trojans on victims' computers.
In the second quarter of 2024, the TI team at the PT ESC detected phishing emails sent by the financially motivated hacking group Hive0117. This group is known for distributing the DarkWatchman backdoor. In June, the attackers sent a dropper for this malware to Russian companies disguised as the Corporate Taxpayer software (NalogUL.exe). Additionally, our TI team recorded a phishing email sent to a manufacturing company and containing a malicious archive with DarkWatchman, masked as the executable file named "Документ из налоговой(запрос).exe" (Document from the tax service (request).exe). This phishing email has several noteworthy features. It was sent from a real email address previously seen in at least seven data breaches and belonging to the CEO of a construction company. The email's content is formatted as a reply to a previous message sent by the victim, designed to build trust. The justification for password-protecting the archive is that the documents are supposedly confidential. Finally, although the email does not explicitly state a deadline, it implies that a tax audit is currently underway. These factors significantly increase the likelihood of the recipient opening the malicious attachment.
Please note that fraudulent schemes of this kind are typically timed to coincide with events on the tax calendar. You should be especially vigilant during tax payment periods. It is important to remember that tax inspectors do not send tax payment requests by email. Such notices are sent either through the taxpayer's personal account or through regular mail.
Credential theft in IM apps: fake vote requests
Mass messaging campaigns requesting votes in contests continue to be a popular tactic for cybercriminals. These scams often aim to steal user credentials or generate direct financial gain. For instance, the Armenian cybersecurity organization CyberHUB-AM recently published a research on a phishing campaign that targeted Telegram users in Armenia and Uzbekistan in 2023 and 2024. Victims received messages containing links to fake voting pages where they were asked to enter their phone numbers and Telegram authentication codes to log in. It is worth noting that this is not the first time CyberHUB-AM has investigated a scheme like that. Last July, the company reported on fake voting campaigns promoted by the advertising bot Post Bot.
Russian users of popular messaging apps and social networks are regularly targeted by attacks involving fake polls and votes. In the spring and summer of 2023, Telegram and WhatsApp users frequently received messages asking them to vote for various child contesters. Links in these messages led to phishing pages with surveys where the users were asked to enter their login credentials. By the end of summer 2023, our colleagues had discovered over 2,000 such phishing sites designed to hijack accounts. In early December 2023, they observed a new wave of fraud involving fake voting aimed at hijacking accounts in popular messaging services. This time, child creativity was replaced by the themes of family life and professional skills. In March 2024, another wave of account hijacking through phishing with surveys was detected. This time, attackers offered to vote for the best manager or public relations professional. To cast a vote, users were asked to log in to Telegram via a QR code or a digital code sent to their phone. This led to account hijacking, and victims lost access to their account together with all of the information in it. Typically, in all these scams, after an account was hacked, a phishing email would be sent to the victim's entire contact list, turning them into unwitting accomplices in spreading fraudulent messages.
Easy coins: crypto scammers' attacks
Cybercriminals are preying on those looking to make a quick buck in the cryptocurrency market. In mid-June 2023, Trend Micro shared the results of an investigation into a large-scale fraud involving the creation of fake cryptocurrency platforms. For at least five years, the cybercriminal group Impulse Team has been running a fraudulent affiliate campaign targeting CIS residents interested in crypto trading. In that time, numerous platforms were set up to entice victims via social media with promises of rewards. Users were required to pay a fee to withdraw their prizes, and this money was sent to the wallets of scammers.
Our colleagues uncovered a new cryptocurrency scam targeting Russian-speaking users in April 2024. These scams prey on individuals looking for quick and easy profits. This time, the attackers offered to earn Toncoin. The essence of the scam is as follows. Users were convinced to register a cryptocurrency wallet in an unofficial Telegram cryptocurrency storage bot, transfer money, and then invite at least five friends through referral links, for which they were supposedly entitled to a commission. In practice, no commissions were ever paid, and all funds invested by users were completely lost.
In May 2024, the Telegram game, Hamster Kombat, started to become a hit. As a cryptocurrency exchange CEO in this game, players earn in-game currency through endless clicks on a virtual hamster. Cybercriminals did not miss the opportunity to profit from the game's popularity. Users looking for ways to withdraw their earnings should be vigilant and cautious. The news about the pre-market trading of Hamster Kombat tokens was announced in early July, but crypto scammers have long been offering their own applications for withdrawing cryptocurrency, to which a TON wallet must be linked. In this way, scammers gain access to conducting any operations with the victim's wallet. Another threat is the theft of Telegram accounts. For example, the victim is forced to sign in to their account under the pretext of starting a bot. In another scenario, players receive messages with links to phishing sites that allegedly allow them to convert in-game currency into rubles. To do this, victims are asked to authorize in Telegram, after which control over the victim's account passes into the hands of scammers who can use it for their own purposes.
Audio and Video Deepfake Fraud
Cybersecurity experts have long been familiar with a social engineering scenario known as FakeBoss. In this scheme, a malicious actor creates a fake profile and contacts an employee, posing as a company executive. Using various pretexts, the attacker attempts to extract information or convince the employee to carry out a financial transaction. Cybercriminals can now leverage artificial intelligence to upgrade their tactics. In particular, instead of sending text messages, fraudsters have started making calls. To imitate the voice of an executive during the call, cybercriminals use audio deepfakes: a voice generated by artificial intelligence. For example, in March, it was reported that attackers had forged the voice of the CEO of a Moscow fitness club and convinced an employee to transfer a large sum of money to a courier.
Such attacks may target both employees of organizations and other individuals. In January, cybercriminals stole money from a Moscow resident by forging the voice of a victim's relative in a Telegram message. In Kazakhstan, an elderly woman was nearly defrauded of a large sum of money. A uniformed man, posing as a law enforcement officer, called her via video link. The image of the police officer was created using a neural network. The fraudster tried to convince the woman to transfer money to the attackers' account, but the incident was prevented thanks to the vigilance of bank employees. In Uzbekistan, scammers created a deepfake video featuring the CEO of a mining and metallurgical combine. Posing as the CEO, they invited citizens to join a Telegram group dedicated to an investment program that promised large profits in a short time.
These are just a few examples of attacks leveraging artificial intelligence. The consequences can be much more serious than the examples described above. For instance, experts believe that in 2024, a combination of deepfakes with social engineering could be used to disrupt elections worldwide. Some CIS countries, including Russia and Uzbekistan, are considering new laws to make creating and using deepfakes a criminal offense. This is in response to the rising threat of cybercrimes involving deepfake technology.
An analysis of dark web platforms
On dark web marketplaces, malicious actors engage in the buying and selling of stolen data, counterfeit documents, access to compromised corporate networks, and tools and services for carrying out attacks. We analyzed 431 unique listings on various dark web forums and Telegram channels that mentioned CIS countries throughout 2023 and the first half of 2024. There was a 35% year-on-year increase in posts in the first half of 2024.
The majority of posts relate to databases (40%), with only 20% of them being sold and 79% being given away for free. Some of these listings belong to posts by hacktivists who leak data onto the dark web for political reasons without pursuing financial gain. The rest are databases stolen by financially motivated cybercriminals, where the victim companies refused to pay a ransom, and now their data has been posted on the dark web for free.
Listings relating to counterfeit or stolen documents (16%) and money laundering (15%) come in second and third place. Some posts are unrelated to buying or selling but are news about ransomware attacks (13%) or website defacements (5%). A small number of listings is associated with finding money mules and their coordinators (3%), selling access to compromised companies (2%), and information lookup on a person (2%). Several listings were related to the buying or selling of accounts on various services (1%) and the sale of so-called "gray" SIM cards, that is those registered to third parties that are used by attackers to commit fraudulent activities.
Approximately one in five (21%) of database-related listings were linked to the retail sector, primarily involving the sale and distribution of online store databases. IT companies ranked second. Our research into data leaks revealed that widespread malware infections in open-source repositories, which are frequently used by developers, is a significant factor contributing to the high rate of data leaks from IT companies.
Prices for databases on sale varied widely, ranging from $100 to $50,000. The median price for Russian company databases on the dark web was $900. Notably, 80% of sale-related listings did not specify a price, indicating negotiable terms. This makes it impossible to objectively assess the cost of each type of information or service offered.
Some listings were associated with two or more CIS countries. For instance, a single listing might offer access to multiple organizations from different countries. The majority of listings pertained to Russia (85%), Belarus (29%), and Kazakhstan (28%). These three countries receive the most attacks.
Half (46%) of Russia-related listings involved the sale or free distribution of databases. For Belarus and Kazakhstan, listings relating to money laundering and counterfeit documents were more prevalent.
