Russian hackers are demonstrating a growing persistence in their attacks against Ukrainian networks, according to a new report from **CERT-UA**. The agency observed a trend where attackers revisit previously breached infrastructure to check if access remains, if vulnerabilities have been patched, and whether old credentials still work. ### Re-Establishing Access "Unfortunately, these attempts sometimes succeed if the root cause of the initial incident has not been completely eliminated," the researchers stated, emphasizing the need for comprehensive security measures beyond initial patching. This tactic signifies a shift from the "steal-and-go" approach seen in the first half of 2025, where attackers focused on quickly extracting data. Now, the emphasis is on maintaining long-term access for espionage, expanding access, or supporting other cyber operations. ### Evolving Tactics: Social Engineering on the Rise **CERT-UA** also noted a change in initial access methods. Traditional phishing emails and malicious attachments are becoming less effective as organizations become more aware. Attackers are now turning to sophisticated social engineering tactics. These tactics involve building trust with victims through direct phone calls using Ukrainian mobile numbers and legitimate messaging accounts. Attackers demonstrate detailed knowledge of their targets, speaking fluent Ukrainian, before sending malicious files via messaging apps. ### APT28 and Void Blizzard Implicated According to **CERT-UA**, Russia-linked hacking groups such as **APT28** (also known as **Fancy Bear**) and **Void Blizzard** have employed these techniques against members of Ukraine's armed forces and government institutions. ### Incident Numbers Decline, Defenses Improve? Despite the evolution in tactics, the report indicates a decline in the overall number of cyber incidents in the second half of 2025 – the first such drop since the start of the full-scale invasion. This suggests that Ukrainian organizations are gradually adapting to the threat environment and improving their defenses. However, the security and defense sector remains the primary target, as compromising these networks could directly impact the ongoing conflict. [](https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record)