60% of Cyberattacks on Russia in 2024 Attributed to Professionals
In the first half of 2024, the majority (60%) of successful targeted cyberattacks on Russian organizations were carried out by professional hackers, specifically cyber mercenaries and pro-government groups. For initial access to infrastructure, attackers most often used compromised employee accounts and vulnerabilities in corporate web applications. In 2023, most attacks were attributed to cyber vandals and hacktivists, and the number of incidents involving stolen accounts was four times lower. These findings come from a report by the Solar 4RAYS Cyber Threat Research Center of the Solar Group.
The research is based on investigations conducted by the company from January to June 2024. It includes data on the industries of targeted organizations, the goals of cybercriminals, and the techniques and tactics they used. The report also describes the main characteristics of the cyber groups identified by experts. During this period, more than 30 incidents involving unauthorized access to the IT infrastructure of various companies were analyzed.
Rising Skill Level Among Hackers
There has been a noticeable increase in the skill level of hackers targeting Russian infrastructure. While the activity of pro-government groups remains at last year’s level, cyber mercenaries—professionals working on behalf of third parties—are now at the forefront. In the first half of 2023, cyber mercenaries were responsible for only 10% of investigated attacks, but in 2024 their share rose to 44%. Often, the clients for such attacks are foreign government agencies. During the reporting period, the Solar Group team encountered hackers from Eastern Europe and the Asia-Pacific region. The most active groups remain Lifting Zmiy and Shedding Zmiy.
Main Goal: Cyber Espionage
The primary objective of most attacks is cyber espionage. After obtaining the necessary information, some cybercriminals deliberately destroy company infrastructure, usually by encrypting data without demanding a ransom. This behavior is most often observed among groups from Eastern Europe. In most cases, attackers remained in the victim’s network for no longer than a week, but there were instances where hackers stayed in the infrastructure for more than two years.
Changing Hacker Tools and Techniques
The tools used by hackers have also evolved over the past year. In 2024, compromised accounts were used for initial access in 43% of cases, compared to just 15% in 2023. This increase is likely due to the growing number of large-scale data leaks in recent times.
There has also been significant activity in exploiting web application vulnerabilities: 43% of incidents in 2024 and 54% in 2023. Web applications remain one of the most vulnerable elements of the IT perimeter, as confirmed by penetration testing results. In 2023, 56% of corporate web applications examined by Solar Group experts had high or medium severity vulnerabilities, potentially causing serious damage to companies’ information assets. Similar figures were observed in 2022.
Increasing Complexity and Diversity of Attacks
According to the company, attackers continue to complicate and diversify their tools. In the first half of 2023, specialists encountered 92 different attack techniques, while in 2024 this number increased to 122. Special attention is paid to the stages of reconnaissance, evasion of detection, and persistence within the network. Under these conditions, it is important to recognize that the number of complex targeted attacks will only continue to grow, and basic security measures are no longer sufficient. Regular software updates, staying informed about current threats, employee cybersecurity training, regular infrastructure audits, and the use of modern monitoring and protection tools are all required.