This year, the National Cyber Incident Response Team records an average of about 15 cyber incidents per day and tracks over 150 clusters of cyber threats (UAC).
This was reported by the press service of the State Special Communications Service of Ukraine.
“Since the beginning of 2025, CERT-UA has been recording an average of about 15 cyber incidents daily (targeting Ukrainian government agencies, ministries, public officials, and notaries), as well as tracking over 150 clusters of cyber threats. The primary source of cyberattacks remains the Russian Federation. In addition, activity has been observed from Belarus, China, North Korea, and, unfortunately, groups operating from temporarily occupied territories of Ukraine,” the statement reads.
It is noted that the main types of hacker activity from the occupied territories, Russia, and countries friendly to the aggressor state are classified as espionage, financial crimes, cyberterrorism, and specific attacks on notaries.
Specifically, the service notes attempts by Russia to spy on the Ukrainian Defense Forces.
“Espionage remains one of the priority directions for enemy intelligence agencies in Ukraine. One of the greatest threats is the group UAC-0010, which simultaneously infects thousands of computers in Ukraine. The compromise chain remains relatively unchanged: phishing emails with malicious attachments. The attackers actively use built-in Windows tools (mshta, PowerShell) and legitimate services (Cloudflare Tunnels, Telegram, etc.) to conceal their infrastructure. Malicious code spreads via USB drives and Word documents, tricking users into unwittingly distributing it. UAC-0184 specializes in attacks exclusively on military personnel, using Remcos RAT to gain access to computers. They are professionals in social engineering, hunting their victims and communicating with them for weeks before sending malware,” the State Special Communications Service added.
Hackers from the aggressor country also continue so-called destructive cyberattacks against Ukraine.
“For example, on May 26, 2025, the Russian hacker Telegram channel ‘Solntsepyok’ once again published information about new destructive cyberattacks, this time against eight Ukrainian internet providers. The attackers disguise their real targets under the guise of ‘combating fraudulent activities’ from Ukraine, but CERT-UA considers these hostile hacker actions could be classified as terrorist attacks. Among the affected providers are Interlink, ActiveNet, SvitNet, smn.com_ua, NGO ‘Horikh,’ Aries.od_ua, Corbina, and D-lan,” the service added.
