Q4 2023 Report

In Q4 2023, the Vulnerability Detection and Cyber Incident and Cyberattack Response System resources were used to process about 1.4 billion events, collected using the means for monitoring, analysis and transmission of telemetry information on cyber incidents and cyberattacks; detect 2 million suspicious information security events (at initial analysis); process 46,000 critical information security events (possible cyber incidents detected through filtering suspicious IS events and secondary analysis).

In addition, 357 cyber incidents were recorded and processed by security analysts directly.

1 new cyber defense object of the government sector has been connected to the Vulnerability Detection and Cyber Incident and Cyberattack Response System over the reporting period.

As compared to Q3 2023, the number of cyber defense objects per subsystem has increased as follows:

• network telemetry collection — by 7;

• end-point protection — by 6;

• vulnerability scanning — by 5.

Among the autonomous systems (AS), whose infrastructure was identified as an active scanning source most often over the reporting period, one can distinguish OVN SAS, AMAZON-AES, AMAZON-02, GOOGLE, Cloudflarenet.

1,102,144 suspicious unique files were automatically detected over the reporting period by the subsystems making up the Vulnerability Detection and Cyber Incident and Cyberattack Response System. At that, SmokeLoader, Agent Tesla, Snake Keylogger, Remcos, and Guloader prevail among the malware families detected in information security events under the category “02 Malicious software code.”

Analysts of the Cyber Incident Response Operations Center have analyzed 1,731 phishing attacks correlating with the following email threat categories over Q4 2023:

• stealing authentication data (672);

• malware distribution (472);

• extortion (587).

578 out of 672 phishing attacks aimed at stealing users’ authentication data were associated with the use of legitimate services and technologies, amounting to 86% of their total number. It proves the efficiency of the approach based on exploiting legitimate means to arrange phishing emails. Specifically, Firebase, Formspark, IPFS, Webflow, Hostinger, Sav Builder, Weebly, Cloudflare R2, and POWR have been exploited over the reporting period.

461 phishing attacks were attributed to the targeted activity cluster, namely: UAC-0006 (358), UAC-0050 (77), UAC-0010 (24), UAC-0028 (2).

In addition, 149 cyberattacks initiated by pro-russian hacking groups have been detected over Q4 2023, 26% less than in the previous quarter. So, Q4 2023 keeps showing a downtrend in the total number of cyberattacks targeting Ukrainian organizations of various sectors and ownership forms, observed since early 2023. Meanwhile, the attack periodicity chart is rather uniform, which implies absence of any notable changes in the attack frequency and intensity, with even distribution of attacks across the timeline of the reporting period.

Народная CyberАрмия, RU_DDOS C2, Layer Legion (DDoS Legion), NoName057(16), and Vосход are among the most active pro-russian hacktivist groups. The number of attacks waged by them in Q4 2023 accounted for 91% of the total recorded attacks carried out by similar groups. The largest number of their attacks targeted telecom, government, finance, defense, and energy sectors.

Download this report in PDF here.