Kaspersky Lab Studies Hack Groups Attacking Russia

Kaspersky Lab specialists have conducted a technical analysis of the activity of 14 hacker groups that are actively targeting organizations in Russia, Belarus, and several other countries. Among them are hacktivist groups that appeared on the Russian threat landscape after 2022 and publicly identified themselves as “pro-Ukrainian.”

Three Clusters of Threat Actors

Researchers classified the groups into three main clusters based on their motives and tools:

• Hacktivists — Operate for ideological reasons, aiming primarily to disrupt and destroy company infrastructure in Russia. Groups include TWELVE, BlackJack, Head Mare, C.A.S., and Crypt Ghouls.
• APT Groups — Conduct sophisticated, targeted campaigns focused on cyber-espionage. These include Awaken Likho, Angry Likho, GOFFEE, Cloud Atlas, Librarian Likho (formerly Librarian Ghouls), Mythic Likho, and XDSpy.
• Hybrid Actors — Groups with mixed tactics and unique signatures, such as BO TEAM and Cyberpartisans.

Growth Since 2022

The number of hacker groups attacking Russia has surged since 2022, largely due to the emergence of hacktivists. According to Kaspersky Lab, these actors have become more experienced and organized, sharing tools, dividing responsibilities, and seeking publicity.

In 2025 alone, at least seven new groups have been identified.

Collaboration and Targets

Most of the studied groups interact with each other, often using the same toolsets or dividing operational roles—where one group gains access and another ensures persistence or causes damage.

While attackers target a broad range of industries, the public sector, industrial enterprises, and telecom providers are the top three sectors under sustained pressure. Both large corporations and small businesses are at risk.

Increasing Technical Sophistication

Researchers note that in recent years the groups have become more technically advanced. Tools that were once rare, typically reserved for red team exercises, or existed only in theory are now appearing in real-world attacks. This suggests that threat actors are studying not only open-source information but also professional research, experimenting with new methods and adapting them for malicious use.

Expert Commentary

“Since 2022, Russia has been the most attacked country in cyberspace,” said Nikita Nazarov, Head of Advanced Threat Research at Kaspersky Lab. “The key threat to domestic organizations remains hacktivism: the number of such groups is growing, and their technical level is constantly increasing. The methods used by some actors are sooner or later adopted by others. Our new report is a contribution to global cybersecurity, helping information security specialists stay one step ahead of a threat that has become systemic in Russia and beyond.”