The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

2023 Recap - Cyberwar and Hacktivism in the Russia-Ukraine Conflict

Dec 8, 2023 1:17:32 PM / by The Hivemind


Executive Summary

The Russia-Ukraine conflict has continued throughout 2023, with a plethora of both state-sponsored and hacktivist cyber activity taking place alongside kinetic warfare. In this report, PolySwarm provides the highlights of cyber activity associated with the Russia-Ukraine conflict in 2023.

Key Takeaways

  • The Russia-Ukraine conflict has continued throughout 2023, with a plethora of both state-sponsored and hacktivist cyber activity taking place alongside kinetic warfare. 
  • State-sponsored Russian threat actors engaged in cyberwar have included Cozy Bear, Fancy Bear, VooDoo Bear, Primitive Bear, and Cadet Blizzard.
  • Other notable Russia nexus or pro-Russia threat actor groups have included GhostWriter, RedStinger, KillNet, and Nodaria.
  • Ukraine nexus threat actor groups engaged in the cyber conflict include Cyber Regiment, IT Army of Ukraine, KibOrg, and NLB.
  • Samples of LitterDrifter, a USB worm used by Primitive Bear to target Ukraine, are featured in the IOCs section.  

2023 Highlights

The Russia-Ukraine conflict has continued throughout 2023, with a plethora of both state-sponsored and hacktivist cyber activity taking place alongside kinetic warfare. In this report, PolySwarm provides the highlights of cyber activity associated with the Russia-Ukraine conflict in 2023.


In January, officials in Poland reported Polish government services, private companies, media organizations, and other entities have been under attack. They stated the attacks appear to be perpetrated by the pro-Russia hacktivist group known as GhostWriter. These politically motivated attacks were likely carried out as a form of retaliation, as Poland has provided support to Ukraine in the ongoing Russia-Ukraine conflict and designated Russia as a state sponsor of terrorism.

Cozy Bear

Cozy Bear, also known as APT29 and Nobelium, is a Russia nexus threat actor group tied to the SVR. In a  campaign earlier this year that targeted NATO and EU entities, Cozy Bear used three droppers: SNOWYAMBER, HALFRIG, a payload used to deploy Cobalt Strike, and QUARTERRIG. The campaign objective was espionage. The threat actors used spearphishing with an embassy-themed lure to target victims.

Fancy Bear

Fancy Bear, also known as APT28, Pawnstorm, SnakeMackerel, Strontium, Sednit, Sofacy, and Tsar Team, is a Russia nexus APT group associated with Unit 26165 of the Russian intelligence entity known as the GRU. The group has been active since at least 2007 and targets government, military, and security entities. They were observed engaging in attacks targeting a critical energy facility in Ukraine in September 2023.

VooDoo Bear

VooDoo Bear, also known as Sandworm, Black Energy, Electrum, Iron Viking, Telebots, and Quedagh, is a Russia nexus APT group active since at least 2009. Industry researchers have linked VooDoo Bear to GRU Unit 74455. Earlier this year, they were observed targeting Ukrainian entities using Infamous Chisel malware.


RedStinger, also known as Bad Magic, is a relatively unknown threat actor group that targets entities in Ukraine. They have been active since at least 2020. The group seems to conduct espionage campaigns. They have been observed engaging in ongoing campaigns that targeted multiple entities in Ukraine, including those in the defense, transportation, and critical infrastructure verticals.

Cadet Blizzard

Cadet Blizzard, previously referred to as DEV-0586, is a Russia nexus state-sponsored threat actor group with potential ties to the Russian General Staff Main Intelligence Directorate (GRU). Cadet Blizzard has been active since at least 2020, with WhisperGate in 2022 being one of its more well-known malware families. The group was very active in January and June 2022, with a lull in activity, and became active again in January 2023. Cadet Blizzard’s activity appears to be, by design, less stealthy than other GRU-directed network operations.


Killnet, a hacktivist group thought to align with Russian interests, has been active since at least 2022 and is known for DDoS attacks, data theft, and leaks. They are known to target transportation, defense, government, financial, and telecommunications entities. They have been observed targeting entities exhibiting pro-Ukraine sentiments, including those in the US and Europe, and other NATO entities.


Earlier this year, a Russian threat actor group dubbed Nodaria was observed using the Graphiron infostealer to target entities in Ukraine. Graphiron is written in Go and can steal a variety of information, including system information, credentials, and files. It can also take screenshots on the victim machine. It then exfiltrates this data to the C2. While Nodaria conducts espionage, it is unclear whether they are a state-sponsored group.

Primitive Bear

Check Point Research recently reported on LitterDrifter, a backdoor being used by Primitive Bear, also known as Armageddon, Gamaredon, Actinium, and Shuckworm. The group has been one of the most active APT groups targeting Ukrainian assets. The group’s activity has traditionally involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated the group has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Primitive Bear does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some of the tools and TTPs used by Primitive Bear include spearphishing, Pteranodon RAT, PowerShell, FileStealer, and EvilGnome.

LitterDrifter is a USB worm written in Visual Basic. LitterDrifter spreads from USB drive to USB drive, infecting any devices connecting to the drive. The malware then communicates with the threat actor-controlled C2. While entities in Ukraine were the apparent target of LitterDrifter, industry researchers report that it has spread outside of Ukraine, with possible infections observed in the USA, Vietnam, Chile, Poland, Germany, and Hong Kong.

Cyber Regiment

While most of the threat actor groups featured in this report are Russia nexus, Cyber Regiment is a Ukraine nexus hacktivist group. Cyber Regiment describes themselves as a group of Ukrainian volunteers who collaborate to compensate for Ukraine’s lack of a traditional cyberwar capability. They are known to conduct both DDoS attacks and espionage campaigns.

IT Army of Ukraine

The IT Army of Ukraine is another Ukraine nexus hacktivist group. They are known to conduct high-profile cyber attacks on Russian entities. They also work in a defensive capacity to protect Ukraine’s critical networks. IT Army of Ukraine is officially endorsed by Ukraine's Ministry of Digital Transformation.

KibOrg and NLB

In October, two Ukraine nexus hacktivist groups, KibOrg and NLB, claimed they hacked Alfa-Bank, Russia’s largest private bank. While the two groups are hacktivist groups, reports suggest the SBU also played a role in the attack.


LitterDrifter is one of the most recently reported malware families used in the Russia-Ukraine conflict. As such, we have chosen to feature LitterDrifter samples in this report.


PolySwarm has multiple samples of LitterDrifter.

















You can use the following CLI command to search for all LitterDrifter samples in our portal:

$ polyswarm link list -f LitterDrifter


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports.


Topics: Ukraine, Russia, Threat Bulletin, Primitive Bear, Cozy Bear, Killnet, Cadet Blizzard, LitterDrifter, Ghost Writer, Fancy Bear, VooDoo Bear, RedStinger, Nodaria, Cyber Regiment, IT Army of Ukraine, KibOrg, NLB

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts