How hackers from unfriendly countries are trying to weaken the Russian military-industrial complex
Last year, almost 3 trillion information security events were recorded at the enterprises of Rostec State Corporation. This is twice as much as a year earlier, the state corporation told Izvestia. Experts note that Russian industry is among the three most attacked industries today, along with the financial and public sectors. In their opinion, by such actions our opponents want to weaken the Russian military-industrial complex and the army.
Part of the hybrid war
In 2024, the Rostec State Corporation's Information Security Incident Monitoring and Response Center (RT Protect SOC) processed almost 3 trillion information security events (virtual incidents that could affect the company's operations). This is almost twice as much as a year earlier. The systems recorded more than 1.2 million triggers, of which over 360 thousand potentially dangerous incidents were manually checked, Rostec reported.
Photo: IZVESTIA
Image Source: iz.ru
2,230 cases have been confirmed that could affect the stability of critical IT systems, industrial equipment and departmental networks, the publication's interlocutors noted.
"The essence of cyber threats is changing," Artem Sychev, First Deputy General Director of RT—Information Security JSC, told Izvestia. — Hackers no longer act head-on, they behave like scouts: they enter unnoticed, observe for a long time, disguise themselves as regular activity, and then attack point-by-point. In 2024, our SOC processed 2.94 trillion events, confirmed more than 2,000 attacks, and learned how to identify threats before they could cause harm.
The increase in the number of cyber attacks on enterprises of the domestic military-industrial complex is not accidental — it is part of a hybrid war being waged against our country, military expert Vasily Dandykin told Izvestia.
"Most of the attacks are the work of the Kiev regime, and this is a serious threat," he said. — There are other countries behind them, first of all Great Britain. The importance of science and industry in modern military conflicts is very high, and people and companies manufacturing new weapons systems are becoming priority targets. Without military equipment that meets the challenges of the times, even a highly motivated army will be defeated in a matter of days.
Photo: IZVESTIA/Taras Petrenko
Image source: iz.ru
Attribution of cyber attacks is complex and often politicized, Igor Bederov, director of the Internet Search company, told Izvestia.
"However, the main sources of threats to Russia, especially to the defense industry, are associated with NATO countries, especially the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom, and the United States), Ukraine, Eastern European countries, and anonymous hacker groups," he said.
Russian factories and industrial enterprises are still being attacked, mainly for cyber espionage or cyber sabotage. But the number of cyberattacks and the number of APT groups themselves attacking Russia has grown significantly since the start of its operations. If in 2023 there were 14 pro-government APT groups attacking Russia and the CIS, then in 2024 there were twice as many of them — 27, experts from the Threat Intelligence department of F6 told Izvestia.
Abnormal activity
Three trillion threats per year is a huge amount, about 8.2 billion per day, Igor Bederov believes.
Photo: IZVESTIA/Sergey Konkov
Image source: iz.ru
— This figure indicates the extreme activity of intruders, — said the expert. — The doubling compared to 2023 is an alarming trend, significantly ahead of the global average. After the start of the SVR, the situation escalated dramatically. There has been a sharp increase in the number and intensity of attacks, a change in their nature and a complication of their attribution.
Andrey Zaikin, Director of Business Development at K2 Cybersecurity, told Izvestia that the number of incidents recorded by the company's Cybersecurity Monitoring Center has doubled. According to him, the focus is shifting to the real sector of the economy.
"Russian industry is among the three most attacked industries today, along with the public sector and finance," he said.
Most often, areas with a high degree of digitalization and large amounts of data are under attack: the financial sector, industry and the pharmaceutical industry, Ekaterina Ionova, project director of the Lukomorye IT ecosystem, product owner of the Sirin AI Center, confirmed.
Photo: RIA Novosti
Image source: iz.ru
The attackers want the work of our defense enterprises to be disrupted, because starting in 2022 we are in a state of cyber warfare.
"They are also interested in stealing information about the activities of Rostec companies," Alexey Gorelkin, CEO of Phishman, told Izvestia.
They are trying to weaken our defense industry by all possible means — both virtual and terrorist, Vasily Dandykin is sure.
"Attempts have been made on our designers and managers more than once," he noted.
The expert recalled that such an impact has already become widespread in practice — during the outbreak of the conflict between Israel and Iran, not only generals or politicians were killed, but also scientists and designers involved in projects of the Iranian military-industrial complex and even a peaceful atom.
Dangerous mail
Most of the attacks that led to certain consequences began with phishing emails or the use of compromised credentials, Rostec noted.
Photo: IZVESTIA/Eduard Kornienko
Image source: iz.ru
Malicious messages were often disguised as internal correspondence, requests from technical support services, or requests from management.
The attackers actively tried to exploit vulnerabilities in well-known products such as WinRAR and Outlook. As practice shows, contractors and partners of companies are the most vulnerable — through them, intruders try to penetrate the perimeter of the main infrastructure of the state corporation.
According to a report by the Rostec Information Security Incident Monitoring and Response Center, more than 70% of incidents began with the actions of an end user, an employee who opened a malicious email or did not recognize the substitution.
Photo: Global Look Press/IMAGO/Zoonar.com/Andres Victorer
Image Source: iz.ru
There has also been an increase in attacks through popular messengers. Hackers steal accounts and send malicious files pretending to be colleagues. Increasingly, unsafe messages remain inactive in the system until a certain point. This "sleep mode" allows you to bypass the protection and activate at the time of the greatest vulnerability of the system, for example, on weekends or holidays.
Hackers and their techniques
The APT groups HeadMare and Cloud Atlas showed the greatest activity in 2024. They used phishing (illegally gaining access to usernames and passwords of users), archives with malicious documents, as well as remote access programs, according to a report by the Rostec Monitoring and Response Center.
After the device was penetrated, the PhantomCore malware was launched, followed by network security tools and LockBit and Babuk cryptographers. Moreover, the attacks were customized for each target.
Photo: Global Look Press/IMAGO/Rene Traut
Image source: iz.ru
In some cases, the program has not been activated for weeks, waiting for the right moment. Such scenarios are particularly dangerous for defense and scientific enterprises, where intruders seek a long-term presence and information gathering, the report notes.
Experts believe that while foreign hackers are targeting Russian industry, they are betting on mass production, but this threat should not be underestimated.
Automated scans, mass phishing, bruteforce attempts, and targeted attacks are easily generated by bots. But at the same time, the growth of threats, of course, directly correlates with the increased risk of successful attacks," said Igor Bederov.
The consequences of such attacks can be very different, experts from the Threat Intelligence department of F6 said.
Photo: IZVESTIA/Eduard Kornienko
Image source: iz.ru
— Minimal damage is if an employee is caught on a massive phishing or scam. The consequences are the hijacking of a TG account, the leakage of a personal account," they noted. — In more complex schemes, attackers collect information about the target in order to come up with a good legend, for example, according to the FakeBoss scheme ("fake boss"). It is known about a number of successful attacks, during which accountants of various organizations voluntarily transferred funds (from hundreds of thousands to tens of millions) to the accounts of intruders, thinking that they were fulfilling the instructions of the head of the organization.
The methods of combating cyber attacks are constantly being improved, experts say. For example, at Rostec, RT Protect SOC has become not only a response center, but also a tool for predicting attacks from outside. Thanks to this, the system is able not only to detect threats, but also to prevent them at the preparation stage.
Bogdan Stepovoy
Vladimir Matveev
Anton Bely
