Kaspersky researchers have released a technical review of 14 threat groups most actively targeting organizations in Russia, Belarus, and several neighboring countries. A sizable share of today’s activity comes from post‑2022 hacktivist collectives that identify as “pro‑Ukrainian.” The study organizes adversaries into three clusters by motivation and tooling, enabling defenders to reason about repeatable TTPs (tactics, techniques, and procedures) and prioritize risk mitigation.
Three threat clusters: motivation and tooling that drive TTPs
The number of actors attacking Russian organizations expanded sharply after 2022, largely due to hacktivist ecosystems. According to the report, these actors increasingly coordinate actions, share knowledge and tools, and operate with a deliberate focus on publicity. The three clusters are framed by dominant motives (ideological vs. other pragmatic aims) and by shared toolchains, which helps security teams map expected behaviors across sectors and align defenses with the most likely intrusion paths.
2022–2025 trends: coordination and rising technical maturity
Tool and role sharing across operations
Most profiled groups collaborate and reuse tradecraft. They converge on similar frameworks and even divide operational roles—from initial access to persistence and impact. In practice, this accelerates campaigns and scales reach, as proven TTPs, exploits, remote access tools, and malware modules are repeatedly redeployed. This mirrors a broader industry pattern in which popular kits (for example, widely reported frameworks like Cobalt Strike or Sliver) and dual‑use remote tools are adopted across unrelated crews.
Red‑team techniques in live intrusions
The report highlights higher technical sophistication. Techniques once confined to red‑team exercises now appear routinely in real attacks: stealthy persistence, lateral movement, living‑off‑the‑land (abusing built‑in admin tools such as PowerShell, WMI, or PsExec), and combining legitimate IT/OT administration utilities with custom loaders. This indicates adversaries are actively studying professional publications and adapting and experimenting with cutting‑edge tradecraft, a trend also noted in independent threat landscape reporting (e.g., ENISA and other industry sources).
Primary targets: government, industry, and telecom
While victims span multiple sectors, the top three targets remain government, industrial enterprises, and telecommunications. Both large enterprises and SMBs are affected; what matters is the presence of valuable data, critical infrastructure, or leverage over supply chains. The trend intensified in 2025: Kaspersky observed at least seven new groups publicly claiming attacks against Russian organizations.
Risk context for Russian organizations
Since 2022, Russia has remained among the most frequently targeted countries in cyberspace, with hacktivism a central driver. A key risk is the diffusion of techniques: once a method proves effective, it is rapidly cloned across the ecosystem, increasing repeat incidents and piling pressure on security operations. For defenders, this means shorter intervals between intrusion stages and a narrower window to detect and contain attacks.
Actionable guidance for security teams
Given these trends, organizations should revisit threat models and control priorities. Practical steps include: 1) hardening initial access—enforce MFA everywhere, tightly control VPN/RDP exposure, and minimize external attack surface; 2) network segmentation and least‑privilege access; 3) enhanced monitoring with EDR/XDR plus centralized log telemetry; 4) targeted Threat Intelligence focused on threat clusters and their TTPs mapped to MITRE ATT&CK; 5) incident response readiness—tabletop exercises, validated offline backups, and tested recovery playbooks.
Kaspersky underscores that attacks against Russian organizations have become systemic since 2022, with hacktivism leading the risk curve. Understanding adversary motivation, shared toolchains, and repeatable TTPs enables proactive defense. The priority now is disciplined execution of fundamentals—MFA, segmentation, visibility, and practiced response. Organizations that close these “quick wins” will substantially reduce exposure to an increasingly synchronized and technically adept set of adversaries.
