This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical infrastructure, and technology sectors.
If you need to catch up, please read Part 1, Part 2, and Part 3.
In this final installment, we shine a spotlight on Russian state-backed actors and their operations.
In September 2024, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) assessed that the infamous UNC2589 group (also known as Cadet Blizzard, Ember Bear, and UAC-0056) is affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
Since at least 2020, Unit 29155 has been responsible for conducting computer network operations against global targets for espionage, sabotage, and reputational harm. UNC2589 gained widespread attention following the destructive WhisperGate malware attacks against several Ukrainian organizations starting in January 2022.
In April 2024, Mandiant elevated the Sandworm group to the status of an advanced persistent threat group (APT), labeling it APT44 and marking it as a “high severity threat to governments and global critical infrastructure operators”. APT44 is known to be operated by the GRU’s Military Unit 74455.
The group has used various cyber personas to publicly take credit for data leaks and disruptive actions to create second-order psychological effects. It has cycled through at least three main hacktivist-branded Telegram channels: XakNet, CyberArmyofRussia_Reborn, and Solntsepek to claim responsibility for its wartime operations.
Mandiant assessed that XakNet and CyberArmyofRussia_Reborn were directly coordinating their operations with APT44 based on indicators such as deploying APT44 tools on the networks of Ukrainian victims, whose data was subsequently leaked on Telegram within 24 hours of wiping activity.
In December 2023, the NCSC, CISA, FBI, NSA, and other agencies assessed that the UNC4057 group (also known as Star Blizzard, COLDRIVER, and Callisto Group) is likely subordinate to the Russian Federal Security Service (FSB) Centre 18. On December 7, 2023, a federal grand jury in San Francisco indicted two UNC4057-associated individuals, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, with espionage campaigns targeting government and military organizations, including operations designed to influence the UK’s 2019 elections.
Since at least 2019, UNC4057 has targeted government, defense, academic sectors, NGOs, think tanks, and individual politicians. Most of its targets are located in the UK and the US, however, activity against other NATO countries has also been observed.
Figure 1. Russian state-backed threat actors.
APT29 and Global Espionage Operations
Figure 2. APT29 and its targeted sectors from September 2023 to February 2025.
APT29 (also known as Midnight Blizzard, Cozy Bear, or The Dukes) is believed to be part of the Russian Foreign Intelligence Service (SVR). The group's operations and focus on Ukraine intensified in the first half of 2023 as Kyiv launched its counteroffensive, highlighting the SVR's crucial role in gathering intelligence during this pivotal phase of the war. In parallel with this increased focus on Ukraine, APT29 has ramped up its phishing activities while continuing its routine espionage operations targeting global diplomatic entities. These malware delivery operations primarily target European ministries of foreign affairs and embassies, though the group has also maintained global operations, reflecting Russia's broad geopolitical interests.
Initial Access: Adaptation to New Security Measures
As organizations continue to modernize their systems and transition to cloud-based infrastructures, the SVR has adapted to these changes in operating environments. The UK National Cyber Security Centre (NCSC) and partners have observed APT29 leveraging tokens to access their victims' accounts. The group has also bypassed password authentication using password spraying and MFA through MFA bombing or MFA fatigue, where they flood the victim's device with MFA requests until the victim accepts one. After bypassing security systems to access the cloud environment, SVR actors have been seen registering their devices on the cloud tenant. If device validation rules are absent, they can successfully register their devices and gain network access.
Figure 3. APT44 and its targeted sectors from September 2023 to February 2025.
APT44 (aka Seashell Blizzard or Sandworm) remains a formidable threat to Ukraine and allied countries. During the second year of the war, the group's targets and tactics evolved with a growing emphasis on espionage aimed at providing Russia's conventional forces with a strategic advantage.
The Sandworm Family refers to a network of interconnected cyber units operating under Russian state sponsorship rather than a single hacker group. These groups share resources, tools, and personnel, enabling coordinated operations that range from critical infrastructure attacks to cyber espionage while maintaining flexibility and adaptability.
Sandworm also collaborates with hacktivist and cybercriminal groups such as the aforementioned XakNet, CyberArmyofRussia_Reborn, and Solncepek (Solntsepek) to expand its reach and obscure attribution. This decentralized structure allows for simultaneous global operations and enhances operational deniability and resilience, making Sandworm and its affiliated network one of the most formidable actors in the Russia-Ukraine cyber conflict.
Figure 4. UNC2589.
UNC2589 (also known as Cadet Blizzard, Ember Bear, and UAC) is deemed responsible for attempted coups, sabotage, and influence operations throughout Europe as assessed by CISA. Since at least 2020, UNC2589-affiliated group Unit 29155 has expanded its operations to include offensive cyber activities. The objectives of UNC2589's cyber actors appear to involve information gathering for espionage, causing reputational damage through the theft and release of sensitive data, and engaging in systematic sabotage by destroying data. The FBI assesses the cyber actors of Unit 29155 as likely junior active-duty GRU officers operating under the guidance of experienced leadership within the unit and refining their technical skills through cyber operations and intrusions.
Additionally, the FBI believes that Unit 29155's cyber actors collaborate with non-GRU personnel, including known cybercriminals, to carry out their operations.
Figure 5. UNC2589’s attack chain and objectives. Source: CISA.
Figure 6. APT28 and its targeted sectors from September 2023 to February 2025.
APT28 (also known as Forrest Blizzard, Fancy Bear, and Sofacy) is known to be a part of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 26165. APT28’s activities were focused mostly on infiltrating government organizations. However, attacks against an energy facility were also noted.
Research published by Volexity in December 2024 gives us unique insight into the advanced capabilities in terms of the attack complexity that APT28 can conduct. In early February 2022, shortly before Russia invaded Ukraine, APT28 gained access to Organization A’s network by connecting to its enterprise Wi-Fi. The threat actor executed this infiltration by strategically compromising several nearby organizations before reaching its main target, Organization A. This attack was carried out remotely and dubbed the “Nearest Neighbor Attack”.
In September 2023, CERT.UA reported an APT28 attack targeting the energy infrastructure leveraging CVE-2023-38831 to deliver malware. Attackers leveraged living off the land techniques and mockbin.org /website.hook services as a command & control center.
Figure 7. TURLA and its targeted sectors from September 2023 to February 2025.
TURLA (also called Secret Blizzard, Venomous Bear, or UAC – 0003) is known for targeting a broad range of sectors, with a particular focus on ministries of government offices, defense departments, and defense-related companies globally. The group aims to maintain long-term access to systems for intelligence gathering utilizing advanced backdoors. CISA has attributed Turla to Center 16 of Russia’s FSB.
The ongoing cyberwarfare between Russia and Ukraine has redefined the role of cyberspace in modern conflict, showcasing how digital operations have become as critical as physical battles. Over the past three years, both sides have demonstrated unique evolving approaches, leveraging their respective strengths to achieve strategic and symbolic objectives.
Attacks on energy grids, financial institutions, and government systems in Ukraine have highlighted the precision and technical sophistication of Russian operations, which often extended beyond Ukraine's borders. On the other hand, pro-Ukrainian hackers have adopted a decentralized and agile approach, focusing on symbolic targets to undermine Russia's reputation and boost morale for Ukraine and its allies. Their often disruptive and highly visible attacks demonstrate how asymmetric strategies can challenge even the most resourced adversaries.
Understanding not just Russian APTs but also pro-Ukrainian groups and their attack techniques during the conflict cannot be overstated, especially for the public and critical infrastructure sectors across the globe. While operations performed by state-sponsored APT actors are usually much more sophisticated, it is important to recognize that most of their attack methods are also employed by a wide range of adversaries in the cybercriminal ecosystem, including ransomware groups. By looking at how these advanced threat actors operate and how they exploit weaknesses within networks, organizations can better prepare for a wide range of cyber threats, fortifying their defenses against both nation-state and criminal adversaries.
Russian APTs frequently exploit zero-day vulnerabilities, allowing them to gain initial access to systems and establish footholds in ways that are difficult to detect. These zero-day exploits can be critical in setting the stage for later phases of an attack, which may involve data exfiltration or destruction, as well as espionage activities. The same can be said about ransomware threat actors. For example, the CL0P group exploited the MOVEit Transfer vulnerability (CVE-2023-34362), compromising hundreds of victims in the government and private sectors, while the LockBit group exploited the GoAnywhere MFT software (CVE-2023-0669), impacting numerous organizations in early 2023.
Attack methodologies employed by Russian APTs often include social engineering, spear-phishing campaigns, and lateral movement techniques that are pervasive across the global cyber threat landscape. The use of Living Off the Land (LotL) techniques, open-source reconnaissance tools (Masscan and PingCastle), penetration testing, and adversary simulation frameworks (Metasploit and Cobalt Strike) are also common amongst various threat actors. Modern security systems must be prepared to detect potential attack chains and anomalies rather than just known threats.
The lessons drawn from analyzing attacks performed by state-sponsored threat actors should serve as a guidebook for implementing resilient security practices across all industries, helping organizations detect, prevent, and mitigate ever-evolving threats. Their sophisticated attack methods remind us that cybersecurity is a dynamic and ongoing challenge. Understanding the techniques of Russian APT actors is not merely about countering a specific threat but about adopting a more robust and proactive cybersecurity posture against a wide range of attacks.