According to the State Service for Special Communications and Information Protection of Ukraine (SSSCIP) and CERT-UA (Government Computer Emergency Response Team of Ukraine), the number of cyberattacks on Ukraine has significantly increased. In 2024, the number of cyber incidents rose by almost 70% compared to 2023, reaching 4,315 incidents (compared to 2,541 in 2023). It is predicted that this trend will continue in 2025.
Main Targets of Attacks:
- Energy Sector: Remains a priority target. Attacks aim to destabilize the power grid, cause outages, and exert psychological pressure.
- Government Institutions and Local Authorities: Targets include stealing sensitive information, gaining access to data, and compromising accounts and systems.
- Security and Defense Sector: Hackers try to obtain intelligence data, information about the Armed Forces of Ukraine (AFU), and data from defense industry enterprises.
- Telecommunications: Attacks aim to disrupt communication, which can have significant consequences for coordination. For example, a large-scale attack on Kyivstar in December 2023.
- Commercial Organizations: Data theft and destructive attacks.
Most Common Types of Attacks:
- Malicious Software Distribution (Malware): Includes ransomware, spyware, and wipers.
- Phishing: Creating fake emails or websites to steal login credentials. Often used to spread malware.
- Account/System Compromise:Unauthorized access to systems through compromised accounts.
- Malicious Connections: Unauthorized access to networks.
Cyberattacks in Ukraine:
- Attack on «Kyivstar» (December 2023): One of the largest cyberattacks, which caused significant disruption to the work of Ukraine's largest telecommunications provider, leaving millions of users without communication and internet for several days. This was a destructive wiper attack aimed at psychological pressure.
- Attacks on Government Registers (End of 2024 - Early 2025): Attackers specifically targeted government registers, particularly those related to the Ministry of Justice. The goal was to destroy data and backups.
- Exploitation of Software Vulnerabilities (2024): CERT-UA recorded the use of exploits for vulnerabilities such as GeoServer (CVE-2024-36401), HFS HTTP File Server (CVE-2024-23692), Adobe Acrobat Reader (CVE-2023-21608), Roundcube (CVE-2023-43770), and WinRAR (CVE-2023-38831). This indicates the ongoing search for new entry points and the use of known but unpatched vulnerabilities.
- Attacks Using WRECKSTEEL Malware (Fall 2024 - March 2025): CERT-UA recorded activity from the UAC-0219 group, using WRECKSTEEL malware to steal confidential information from the computers of government institutions and critical infrastructure sites. The attacks were carried out through compromised accounts by sending malicious emails with links to public file-sharing platforms.
- Changes in Tactics of Russian Hackers (2024-2025): CERT-UA notes that Russian hackers are shifting to longer and more complex operations, preparation for which may take 6-8 months. The priority penetration vector is now attacks on supply chains, particularly the compromise of specialized software providers used at critical infrastructure sites.
Key Recommendations for Protection Implementation:
- Strengthening the Institutional and Legislative Framework:
Regularly reviewing and adapting legislation to wartime conditions and new technologies. Implementing international cybersecurity standards and industry-specific standards for critical infrastructure.
2. Technical Protection Measures:
- Network Protection: Intrusion Detection and Prevention Systems (IDS/IPS), next-generation firewalls (NGFW), network segmentation to isolate critical systems.
- Endpoint Protection: EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) solutions to detect and respond to threats on devices.
- Email Security: Enhanced filters to detect and block phishing and malware.
- Monitoring and Response: Security Information and Event Management (SIEM) systems for log aggregation and analysis, continuous anomaly monitoring. Strengthening Security Operations Centers (SOC).
- Backup and Recovery: Regular backup of critical data and systems, developing and testing disaster recovery plans. Storing backups in geographically distributed and secure storage locations.
- Vulnerability Management: Regular vulnerability scanning and timely patching.
- Multi-Factor Authentication (MFA): Mandatory implementation of MFA for all accounts, especially for access to critical systems.
- Access Control: The principle of least privilege, strict access control to critical systems and data.
3. Organizational and Human Factors:
- Training and Awareness: Ongoing training for employees, especially critical infrastructure personnel, on recognizing phishing attacks, safe information handling, and responding to incidents.
- Incident Response Teams: Development and regular testing of incident response plans, including communication, analysis, and recovery procedures.
- «Cybersecurity Culture»: Creating an organizational environment where cybersecurity is a priority and the responsibility of every employee.
- Engagement of Experts: Collaboration with internal and external cybersecurity experts, conducting audits and penetration tests.
4. Proactive Approach:
- Threat Intelligence: Actively using up-to-date threat intelligence to predict and prevent attacks.
- Threat Hunting: Proactively searching for malicious activity in networks and systems that may have gone unnoticed by traditional defense tools.
- Participation in Cyber Drills: Regular participation in national and international cyber drills to practice responding to large-scale attacks.
Protecting critical infrastructure is not limited to technical means. It is a multi-layered process involving strategy, technology, policies, employee training, and cooperation with government cybersecurity agencies.
News source: CERT-UA минулого року опрацювала 4315 кіберінцидентів