Kremlin-Linked Hackers Target Ukraine in Fresh Espionage Campaign

Russian hacker group APT29, also known as Cozy Bear, has launched a new cyber-espionage campaign targeting Ukrainian state and military agencies, according to a report by Amazon Web Services (AWS) released Thursday. The group, allegedly affiliated with Russia’s Foreign Intelligence Service (SVR), is known for high-profile attacks, including the 2020 SolarWinds breach.

Ukraine’s computer emergency response team, CERT-UA, first detected the campaign, which deployed phishing emails disguised as official messages from Amazon and Microsoft. Researchers revealed that APT29’s aim was to steal victims’ credentials and gain access to various systems, allowing for potential control over devices, network resources, and other critical infrastructure.

AWS attributed the campaign to APT29 based on CERT-UA findings, identifying that some domain names used in the phishing scheme mimicked AWS domains. APT29, however, was not attempting to access AWS customer data; instead, the hackers aimed to gather Windows credentials via Microsoft Remote Desktop.

This latest attack signals a change in APT29’s tactics, with the group opting for a wider reach rather than their usual, narrowly targeted approach. AWS has taken steps to disrupt the campaign by seizing compromised domains used in the attacks.

As Ukraine deals with this ongoing cyber threat, CERT-UA has also reported that another Russian hacker group, APT28 (Fancy Bear), is attempting to breach local government agencies. Both groups appear to be targeting credentials and sensitive data through sophisticated techniques, underscoring the persistent threat posed by Kremlin-backed cyber operations.

With cyber-espionage activities accelerating, cybersecurity experts warn that Ukraine’s infrastructure remains at heightened risk amid escalating digital warfare.