Russia continues its cyberattacks on critical infrastructure in Ukraine and across Europe. Cyberattacks and disinformation campaigns have become a routine part of electoral processes in democratic states. Meanwhile, Western defenses, weakened by the new Trump administration, are increasingly hesitant — but France is signaling a clear determination to stand up to Russia.
In March 2025, Ukraine’s CERT (CERT-UA) recorded at least three cyberattacks targeting Ukrainian government institutions and critical infrastructure. Attackers deployed a new espionage malware called Wrecksteel. The attacks began with phishing emails containing links to file-sharing services like DropMeFiles and Google Drive. Clicking the link triggered a PowerShell script, allowing attackers to steal documents, PDFs, images, presentations, and even capture screenshots from infected devices.
CERT-UA also uncovered another campaign distributing infected Excel files with embedded macros. These files deployed a PowerShell script and a previously undocumented infostealer named GIFTEDCROOK, designed to steal data from browsers like Chrome, Edge, and Firefox. The primary targets included military units, law enforcement agencies, and local governments in eastern Ukraine.
The Russian group Shuckworm (also known as Gamaredon or Primitive Bear) continued its cyber-espionage activities. In February and March 2025, its attacks focused on a Western military mission stationed in Ukraine. The campaign began with an infected portable device containing a malicious LNK file that launched a script via mshta.exe to install an updated version of the GammaSteel malware, specialized in exfiltrating network data.
European diplomatic institutions faced an intense phishing campaign by the group APT29 (also known as Cozy Bear or Midnight Blizzard), linked to Russia’s FSB intelligence agency. Attackers sent emails disguised as invitations to wine tastings from a European Ministry of Foreign Affairs. The emails contained a malicious link leading to a “wine.zip” file that delivered the new GRAPELOADER malware.
Meanwhile, another group, UNC5837, launched attacks against European governmental and military organizations, exploiting .rdp files to establish connections via Remote Desktop Protocol (RDP). They abused lesser-known RDP features, such as filesystem redirection and RemoteApps, to effectively steal data from compromised systems.
Russian groups UTA0352 and UTA0355 employed a new tactic targeting Microsoft 365 accounts. Attackers impersonated European diplomats on Signal and WhatsApp, inviting victims to fake video calls. During the conversation, victims were redirected to legitimate Microsoft login pages and tricked into sharing their OAuth authorization codes, granting attackers access to emails and sensitive data via Microsoft 365 and Entra ID (formerly Azure AD).
At the end of March 2025, a prominent Berlin-based research institute focused on Eastern Europe became the target of a sophisticated cyberattack. German authorities attribute the attack to Russian state-sponsored hackers. The Association for the Study of Eastern Europe (DGO), which operates the institute, described the attack as “highly professional,” aimed at compromising its email infrastructure, despite enhanced security measures introduced after a previous breach in October 2024. The prime suspect is again APT29.
The Dutch military intelligence service MIVD, in its 2024 annual report, highlighted an alarming rise in hybrid threats orchestrated by Russia, aimed at destabilizing Dutch society and eroding trust in democratic institutions. Among the incidents was an attempted cyber-sabotage against a public digital service—the first such case in the Netherlands. Though unsuccessful, the attack serves as a stark warning. MIVD also reported Russian operations targeting critical infrastructure and political websites intended to influence upcoming European elections. Of particular concern are Russian activities in the North Sea, involving the mapping of undersea internet cables and energy networks, possibly preparing for future sabotage operations.
Russia continues its assaults on democratic processes, using cyberattacks and disinformation to sway public opinion and punish countries supporting Ukraine.
A notable incident involved a DDoS attack on Belgian government websites, including MyGov.be, which provides citizens with official documents. The pro-Russian group NoName057 claimed responsibility, framing the attack as retaliation for Belgium’s new aid package to Ukraine. The same group also targeted Finland’s Centre Party website on election day, aiming to disrupt the electoral process and undermine trust.
In Poland, Prime Minister Donald Tusk reported a cyberattack against the Civic Platform party ahead of the May presidential elections. The attack lasted several hours, involving attempts to seize control of campaign staff computers. Tusk attributed the attack to “Eastern fingerprints,” suggesting Russian involvement.
Russia’s digital offensive is bolstered by disinformation campaigns, particularly targeting young audiences. Russian networks exploit TikTok’s algorithm, allowing even new accounts with few followers to spread virally. Emotionally charged videos—often AI-generated—leverage shock, tragedy, and provocation to maximize engagement, further amplified by networks of fake accounts interacting with the content.
After years of quietly tolerating cybercrime, Russia has begun cracking down. In early April, Yuri Bozoyan, CEO of the Russian IT company Aeza Group, was arrested for running a criminal network producing and selling narcotics online. Aeza Group also provided “bulletproof hosting” services for various criminal organizations.
Mid-April saw Russia introduce a new legal framework allowing the seizure of cryptocurrencies during criminal proceedings. A special platform will be created to manage seized digital assets, which can be sold following court decisions. This move reflects Russia’s growing desire to control previously unregulated sectors.
In response to the growing threat of Ukrainian drone attacks, authorities in Russia’s Rostov region imposed nighttime mobile internet throttling, reducing speeds to 512 kbit/s. Initially, a complete shutdown between midnight and 5 a.m. was considered but was ultimately replaced with a softer approach to maintain civilian communications.
Reports emerged suggesting Ukrainian drones are now equipped with malware capable of infecting Russian systems, damaging USB ports, blocking drone reprogramming, or exposing operators’ locations. However, these claims remain unverified beyond a single video from Russian social media.
Specialists from Doctor Web discovered targeted attacks on Russian soldiers via a fake version of the popular Alpine Quest mapping app, embedded with a spyware trojan (Android.Spy.1292.origin) that secretly collected and transmitted contacts, location data, and stored files.
The group Cloud Atlas launched a new wave of cyberattacks targeting Russia’s defense industry and state institutions, using phishing emails carrying malware such as VBShower and PowerShower. They also exploited compromised email accounts to spread infections further.
Meanwhile, China’s IronHusky group resumed espionage operations using a new modular version of the MysterySnail RAT malware, targeting government agencies in both Mongolia and Russia. The attacks disguised malicious scripts as official documents from the Mongolian Land Agency.
Russian transport infrastructure was also hit: websites and mobile apps for Russian Railways and the Moscow Metro were taken offline, disrupting online ticket sales—though not actual transport operations. The attack followed a similar incident targeting Ukrainian railways.
The West’s defense against Russian cyberattacks and disinformation has significantly weakened following the inauguration of the new U.S. administration. However, there are notable shifts in France’s stance, as the country seeks to position itself as a leader in European security. Until recently, France had avoided publicly naming Russia as the originator of cyberattacks targeting its infrastructure. This, however, is beginning to change.
France’s cybersecurity agency, ANSSI, has now officially accused the group APT28—also known as Fancy Bear or Sofacy—of being behind several attacks. This group is controlled by Russia’s military intelligence service, the GRU. Targets included the 2017 presidential elections, the TV5 network during a 2016 incident disguised as an attack by the Islamic State, and attempts to sabotage the 2024 Olympic Games.
Another measure taken against Russia comes from the American company Ngrok, which provides services for bypassing NAT and redirecting ports on non-public IP addresses. Ngrok has now blocked access for users with Russian IP addresses. When attempting to connect, Russian users are shown an error message indicating authentication failure. Users connecting through other countries are warned that, as a U.S.-based company, Ngrok is prohibited from conducting business with entities subject to U.S. sanctions.
Tomáš Flídr, May 3, 2025 – Analysis
If you would like to support our efforts to help Ukraine, please consider donating to our transparent account 2801169198/2010 or visit our charity e-shop. You can also support our projects through the Donio platform.
Powered by Froala Editor
