Intruders Amplify Gathering Information on Corporations' Hidden Weaknesses
In the digital landscape of 2025, hacking activities targeting Russian companies' information systems have evolved, combining elements of financially motivated cybercrime and cyberespionage operations. According to BI.ZONE experts, the share of attempts to steal authentication data has decreased significantly, from 14.8% to 6.3%.
This trend is marked by the increasing prevalence of financially motivated attacks by Russian-affiliated groups. One such group, EncryptHub (also known as LARVA-208), has been actively exploiting a recently patched Microsoft Windows vulnerability (CVE-2025-26633, MSC EvilTwin) to deploy malware aimed at stealing information and gaining control over internal systems. Their methods involve social engineering tactics such as fake job offers and spoofed platforms, combined with sophisticated malware delivery like backdoors SilentPrism and DarkWisp.
Cyberespionage and prolonged intrusions also feature prominently in these attacks. Russian state-sponsored groups have been linked to extensive breaches of sensitive systems, such as a years-long infiltration of U.S. court records systems aimed at stealing sealed and sensitive documents.
Reconnaissance and layered attacks are also common tactics. The exploitation of software weaknesses combined with social engineering highlights an ongoing practice of careful infiltration before executing financial or espionage objectives. This multidimensional approach, mixing human-targeted deception and technical exploits, exemplifies current attacker tactics.
The context of geopolitical conflict also plays a significant role. Pro-Ukrainian hacker groups have conducted disruptive operations against major Russian companies, illustrating how cyberattacks related to the Russia-Ukraine conflict increasingly target Russian corporate IT infrastructure.
In response, Russia is designating enterprise software like ERP systems as critical information infrastructure and pushing a transition to domestic software to reduce dependence on Western technology perceived as vulnerable in cyberwarfare contexts.
Meanwhile, "classic" attacks, such as attempts to intercept user credentials and remotely hack servers, have become less common. The use of geo-filters and proxy servers/VPNs is a common tactic to bypass filtering systems in Russian cyberattacks.
Interestingly, the share of "reconnaissance activity," or attacks aimed at gathering information about companies, particularly about vulnerabilities in web applications, has increased significantly, according to BI.ZONE. The share of incidents related to gathering information about vulnerabilities in IT infrastructure has increased by more than five times.
Analysts explain that this tactic by cybercriminals is aimed at collecting as much information as possible before launching a full-scale cyberattack on an organization. In the first half of 2025, 39% of hacking activities detected in Russian companies' information systems were targeted at cyberespionage.
Remarkably, most attacks on Russian online resources originate from Russian IP addresses. This suggests a shift in hacking tactics, with attackers operating within the Russian cyber space to evade detection and carry out their malicious activities more effectively.
In summary, hacking activities against Russian corporate systems currently combine cyberespionage, reconnaissance via sophisticated vulnerabilities, and financially motivated malware campaigns, all set in a broader strategic conflict context and driving corresponding defensive policy changes in Russia.
- The increase in reconnaissance activity, such as gathering information about vulnerabilities in web applications, is a significant trend in Russian cybercrime, according to BI.ZONE.
- Russian-affiliated groups, like EncryptHub, use a multidimensional approach, combining human-targeted deception and technical exploits, in their financially motivated cyberattacks on corporate IT infrastructure.
