Russian State-Sponsored Groups Escalate Cyber Operations in 2025, CERT-UA Reports 37% Surge in Incidents
Russian threat groups including Sandworm, APT28, and Gamaredon dramatically escalated cyber operations in 2025, with CERT-UA recording 5,927 incidents—a 37.4% increase over 2024—using RDP exploitation, VPN vulnerabilities, supply chain attacks, and social engineering for initial access.
Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range of methods to break into targeted systems. From exploiting remote desktop tools and virtual private networks to manipulating trusted supply chains and deceiving employees through social engineering, these actors have built a dangerous and versatile toolkit for gaining initial access. The attacks are not random. They are well-planned, persistent campaigns aimed at government bodies, defense organizations, energy infrastructure, and other critical sectors, particularly in Ukraine and across Europe.
Threat actors under designations such as UAC-0002 (Sandworm), UAC-0001 (APT28), UAC-0010 (Gamaredon), and UAC-0190 (Void Blizzard) have each played an active role throughout the year. Analysts from the National Security and Defense Council of Ukraine said in a report shared with Cyber Security News (CSN) that they identified that in 2025, the volume and complexity of these attacks grew considerably, with CERT-UA recording approximately 5,927 cyber incidents, a 37.4% rise compared to 2024. The report confirms that RDP exploitation, VPN vulnerabilities, and phishing through platforms like Signal, WhatsApp, and Telegram are among the most common methods used to gain a foothold inside targeted networks.
The consequences of these breaches extend beyond data theft. Several intrusions led to the deployment of destructive wiper malware, ransomware, and long-running espionage tools designed to silently collect and exfiltrate sensitive information. The scale of this activity signals that these groups operate not just as cybercriminals but as instruments of a broader geopolitical strategy. In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments, bypassing traditional phishing entirely.
Remote Desktop Protocol remains one of the most abused entry vectors in 2025. Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments. VPN appliances were targeted through vulnerabilities including CVE-2025-20333 and CVE-2025-20362, giving attackers a direct tunnel into internal networks. Supply chain intrusions added another serious layer of risk, as actors targeted software update mechanisms, third-party tools, and IT service providers to plant backdoors where scrutiny is typically lower.
Once inside, groups deployed malware families like Remcos RAT, DarkCrystal RAT, XWorm, and Lumma Stealer to maintain persistent access. Vulnerabilities in widely used platforms were also exploited, including flaws in Roundcube (CVE-2024-42009, CVE-2025-49113), Fortinet appliances (CVE-2024-55591, CVE-2024-21762), and archiving tools like WinRAR and 7-Zip. Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged, proving legacy vulnerabilities still carry very real consequences.
Social engineering remained one of the most reliable methods Russian threat groups used to break in during 2025. Phishing lures were sent through email platforms including Microsoft O365, Roundcube, and Zimbra, as well as messaging apps like Signal, WhatsApp, and Telegram. Techniques such as ClickFix, fake CAPTCHA prompts, and PowerShell-based execution tricks helped attackers deliver malware without triggering immediate alerts. OAuth phishing, Device Code phishing targeting Microsoft Teams, and App-Specific Password phishing against Google accounts were observed targeting over a thousand individuals.
To counter these threats, organizations are advised to enforce multi-factor authentication, adopt Zero Trust architecture, and use Protective DNS to block malicious domains. Patch management across both new and legacy vulnerabilities is essential, and staff should receive regular training to spot social engineering attempts. Security teams should restrict RDP access and monitor for unusual use of built-in system tools that attackers frequently repurpose. The 2025 escalation underscores that Russian cyber operations remain a persistent and evolving threat, demanding continuous vigilance and adaptive defenses.