Ukraine warns Russian hackers are revisiting past breaches to prepare new attacks

Steven

Ukraine warns Russian hackers are revisiting past breaches to prepare new attacks

Summary

Ukraine’s CERT-UA reports that Russia-linked threat actors are returning to infrastructure they previously compromised to check whether access still works, whether patches have been applied and whether stolen credentials remain valid. The shift marks a move away from rapid “steal-and-go” operations in early 2025 toward efforts to maintain long-term footholds for espionage, expanded access or follow-up operations.

Key Points

  • Attackers are reusing earlier breaches as footholds — checking for persistent access, unpatched vulnerabilities and valid credentials.
  • There was a tactical shift in 2025: the first half saw quick data-theft operations, while the second half saw more focus on long-term persistence.
  • Phishing and malicious attachments are becoming less effective; attackers increasingly use sophisticated social engineering (phone calls, video chats, messages) to build trust.
  • Threat actors have used Ukrainian mobile numbers and fluent Ukrainian to convince victims to open malicious files sent over messaging apps.
  • Russia-linked groups such as APT28 (Fancy Bear) and a group tracked as Void Blizzard have targeted Ukraine’s armed forces and government institutions with these techniques.
  • The total number of incidents fell in the second half of 2025, which CERT-UA suggests may reflect improving defences among Ukrainian organisations.
  • The security and defence sector remains the primary target because access there can directly affect the course of the war.

Content summary

CERT-UA’s analysis shows a clear evolution in adversary behaviour: rather than grabbing credentials and leaving quickly, many attackers are now trying to convert past successes into long-term access. They routinely revisit previously compromised networks to see if old backdoors or stolen accounts still work and to exploit any lingering weaknesses.

Attack vectors have also changed. As basic phishing becomes less fruitful, attackers invest in personalised social engineering — often starting with phone or video contact using local numbers and legitimate messaging accounts to lower victims’ guard before delivering malicious files.

The report highlights specific threat actors and targets: APT28 and Void Blizzard have used these methods against military and government personnel. Despite the evolution, CERT-UA notes an overall decline in incidents in late 2025, pointing to better defensive posture across some Ukrainian organisations.

Context and relevance

This reporting matters because it signals a maturing adversary approach: persistence is more valuable than one-off data grabs. For defenders, it means incident response can’t stop at removing visible malware — root causes and lingering credentials must be eradicated, and organisations need to assume old compromises may be re-used.

It also underscores trends seen globally: social engineering is getting more targeted and multi-channel, and nation-state actors prioritise long-term access to influence operations and espionage. The continued focus on security and defence networks emphasises the strategic intent behind these intrusions.

Why should I read this?

Quick take: if you run security for an organisation (especially in defence or critical infrastructure), this is one you should skim — attackers are coming back through old doors, so patching and surface-level cleanups won’t cut it. Think: hunt for stale credentials, re-check earlier incidents, and treat past breaches as ongoing threats rather than closed tickets. We’ve done the reading so you can get straight to the mitigation checklist.

Source

Source: https://therecord.media/ukraine-warns-russian-hackers-revisiting-old-attacks