Cyber researchers’ study proves that Russian threat actors use vulnerable networks from countries around the world to attack Ukrainian organizations. 

Even though those countries support Ukraine, like the UK, US, or France, Russian cybercriminals managed to take advantage of them, while trying to meet their goals. Until now, a dam monitoring system, a Fortune Top 500 company, and various other western organizations were used for launching cyberattacks on Ukraine.

Honey-Trapping the Malicious Actors

In order to attract Russian hackers and collect intelligence about their way of working, researchers planted a number of decoys that masqueraded as Ukrainian important websites and documents.

The operation was a great success, as a huge number of threat actors fell into the trap and tried using them for cyberattacking Ukraine. Researchers point to the case of a piece of data that has attracted up to 60 human cybercriminals in about a minute after being published.

The Three Different Types of Decoys the Study Used:

  • Fake documents that seemed to contain important information for threat actors were intentionally leaked on Russian forums and pro-Russian groups. The documents were set to send a beacon once opened.
  • Decoy websites, pretending to belong to the Ukrainian government or other political institutions, were also used to lure cybercriminals.
  • SSH services configured to accept fake credentials taken from fake websites and report a critical attack.

What Do Russian Threat Actors Want

According to the researchers, their decoys were the target of various types of attacks. Exploiting them, threat actors tried to collect intelligence and even recruit them as bots to perform DDoS attacks. They also tried SQL injection, RCE attacks, the use of known CVEs, and docker exploitation.

Since researchers also set up non-Ukrainian decoys, they were able to deduce that threat actors were significantly more aggressive towards lures imitating Ukrainian organizations. For example, threat actors were prone to using scripts to attack Ukrainian websites, institutions, and websites supporting Kyiv in the war against Russian occupation.


Threat actors compromised the networks of companies, healthcare organizations, and a dam monitoring system in order to reroute their attacks on fake targets in Ukraine.

The study also revealed the disturbing fact that Russian cybercriminals are significantly present in western networks, even in countries like the US, UK, and France, that specifically support the Ukrainians.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

EU Parliament Site Attacked by Russian Hacktivists

What Is Cyberespionage? Tactics, Targets, and Prevention Tips

What Are the Main Attack Vectors in Cybersecurity?

Network Detection and Response (NDR) vs. Endpoint Detection and Response (EDR): A Comparison

How Honeypots Help IT Teams Defend against Cyber Attacks

10 Common Network Vulnerabilities and How to Prevent Them

Vulnerable Docker Servers: Targets of TeamTNT

DDoS Attack. How Distributed Denial of Service Works and How to Prevent It

Leave a Reply

Your email address will not be published. Required fields are marked *