Russian threat actors are increasingly leveraging Artificial Intelligence (AI) to enhance their cyberattacks against Ukrainian entities, according to the country’s State Service for Special Communications and Information Protection (SSSCIP). The use of AI is evident not only in the creation of sophisticated phishing emails but also in the generation of malware code.
Increased Incidents and Evolving Tactics
In the first half of 2025 (H1 2025), Ukraine recorded 3,018 cyber incidents, a rise from 2,575 in late 2024. This increase in activity, accompanied by a "radical change in tactics, techniques, and procedures," suggests that effective Ukrainian countermeasures are forcing Russian groups to adopt new methods and "fresh blood." While attacks on government and energy sectors declined, those targeting local authorities and military entities increased.
The SSSCIP report details the activities of several threat actors:
- UAC-0219: This group is suspected of using AI to generate PowerShell scripts for its WRECKSTEEL malware, which steals data and takes screenshots.
- UAC-0218: This group intensified its phishing campaigns in early 2025. Its malicious emails contain links to UKR.NET archives that deliver HOMESTEEL, a file-stealing malware.
- UAC-0226: This group targets defense, government, and law enforcement sectors. It deploys the GIFTEDCROOK stealer, which extracts browser data and sends it to hacker-controlled Telegram chats.
Espionage and Zero-Click Flaws
Government experts also warned about UAC-0227, an espionage group targeting local governments and critical infrastructure. This group has been seen distributing malicious SVG vector image files via email, a technique that exploits the browser's default settings. Analysis suggests UAC-0227's activity dates back to late 2023, with initial targets in European Union countries.
Furthermore, the Russia-linked cyberespionage group APT28 was found exploiting multiple XSS flaws in Roundcube and Zimbra webmail clients for zero-click attacks, underscoring the hackers' focus on leveraging legitimate platforms for malicious purposes. The SSSCIP concluded that the number of legitimate online resources exploited by Russian hackers has been steadily increasing.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
