Letters of Misfortune: how government employees are being deceived by hackers

An employee of a Russian government agency fell for phishing five times and thus opened access to the organization's system for malware. This was reported to Izvestia by a cybersecurity company. The attack was carried out during the year by hackers from the Cloud Atlas group, which specializes in obtaining corporate information, accessing institution systems and espionage. The phishing emails were disguised as offers of cooperation, advertisements for a factory or construction company. About how hackers attack government agencies and why employees don't have enough vigilance is in the Izvestia article.

How phishing breeds employees

Hackers attacked one of the Russian government institutions for almost a year, sending phishing emails. And, as it turned out, the same employee of this institution opened malicious files five times. This was told to Izvestia by the Solar 4RAYS Cyber Threat Research Center of the Solar Group, which investigated the attack.

The attack was carried out by the Cloud Atlas group, which specializes in espionage operations around the world and has been attacking government agencies in various countries since at least 2014. For initial penetration into the infrastructure of a government agency, its members usually use malicious attachments in Microsoft Office document format.

So it was with this institution. First, the attackers sent a document "About сотрудничестве.doc ". According to the browser history, an employee of the organization downloaded this file in April 2024, and then immediately opened it.

"In Cloud Atlas phishing companies, a malicious document downloads a remote template from the attackers' server when opened," the experts explained. — The template exploits an old vulnerability in a component of the Microsoft Office office suite that allows malicious code to be run. After that, the malicious VBShower file is downloaded, which is used to carry out attacks.

This user also opened all subsequent phishing emails. Their topics were "Novosibirsk Household Chemicals Plant", "Budget for 2025" and "Optimization of turnover". At the same time, the employee immediately launched all files containing "malware".

The last of the open letters contained another promotional offer for cooperation and a description of the construction company. And the attachment contained an advertising template for a real company. The virus document entered malicious code into the system, then the hackers uploaded another code — VBCloud. But they couldn't launch it — the monitoring system went off.

"This example shows how necessary it is to constantly train employees in the rules of cyber hygiene," said Vladimir Dukhanin, an expert at the Solar 4RAYS Cyber Threat Research Center at Solar Group.

There are many real stories when employees of companies click on phishing links or open dangerous emails, creating risks for companies, said Sergey Kireev, senior analyst at Cyber Threat Intelligence at Kaspersky Lab.

"In our practice, there was a case when the head of a small company ignored the recommendations of colleagues from the IT department not to open unfamiliar links, because, in his opinion, these could be important business proposals," he said. — Thereby exposing the company to infection.

In another organization, an employee received an e-mail file that could not be opened. He decided that it was a computer malfunction, so he sent the attachment to all his colleagues. The file also contained a Trojan program, as a result, all the organization's devices were infected.

— And in some cases, the employees themselves help the attackers to carry out a successful phishing attack, — said Sergey Kireev. — So, recently, an employee of one company received a phishing email with a malicious attachment, which was disguised as a legitimate PDF document.

This employee clicked on the attachment, but nothing happened — the document did not open. It turned out that the attackers had incorrectly configured their own malicious document and it could not start. And then the employee wrote a reply letter to the hackers, informing them that there were problems with the document, and also asking them to send him a new one.

— The attackers responded to the request and sent a new malware sample in an attachment. After that, they successfully penetrated the organization's infrastructure," Sergey Kireev added.

Hospital admission: why hackers targeted Russian medical institutions

Experts are recording a wave of cyber attacks on behalf of insurance companies and other hospitals

How hackers mask attacks

Denis Kuvshinov, head of the Threat Intelligence Department at the Positive Technologies Security Expert Center, confirmed the trend towards unpreparedness of employees of various organizations, including government ones.

— For example, during the attacks of the Goffee group, one of the employees opened a malicious attachment from a phishing email several times, since "nothing happened" after the launch, he said. — There are situations when employees not only opened such attachments themselves, but also sent letters to colleagues. As a result, this led to a kind of self-distribution of malware by the employees themselves.

Another hacker newsletter was disguised as business correspondence about the conclusion of a contract, Kristina Burenkova, head of the Department for Analysis and Assessment of Digital Threats at Infosecurity (Softline Group), shared the story.

"The user received an email with the archive in an attachment," she said. — There are three files inside the archive, including the draft agreement and the terms of reference. Visually, the files were displayed as PDF, had a corresponding icon and even a double extension, which is hidden by standard settings.

However, when trying to open it with a double click, it did not start viewing the document, but executing malicious code. When checking, it turned out that each of the files was infected with a Trojan.

Why is the public sector being attacked

The public sector is one of the most intensively and frequently attacked areas in Russia, according to the Kaspersky Threat Intelligence Portal.

In attacks on government employees, hackers mainly act through phishing, Denis Kuvshinov confirmed. Most often, these are targeted mailings with specific topics relevant to the government agency to which the letter is being sent.

— We also see examples when malicious emails are sent from the mailboxes of hacked contractors — in such situations, the probability of success of the attack increases, — said the expert.

At the same time, attacks are becoming more personalized and technically sophisticated, Kristina Burenkova added. One of the most common scenarios is targeted phishing.

— Hackers study the structure of the organization, the names of managers, internal communications — through open sources, social networks, data leaks, — she said. — Then they create letters that look like legitimate requests from their superiors, colleagues, or related departments.

Having gained access to the mail of one employee, the attackers go further — compromising corporate correspondence, sending instructions to his colleagues on behalf of the real sender, initiating unauthorized transfers of funds or data leakage.

Cyber attacks, including on the public sector, often begin with phishing, Sergey Kireev confirmed. For example, in the fourth quarter of 2025, they discovered a wave of targeted malicious mailings to Russian medical institutions on behalf of well-known insurance companies and hospitals.

— In one campaign, 63 emails containing a backdoor (malware) attachment were identified. — Ed.) BrockenDoor, which allowed attackers to control the infected victim's computer, he noted.

Hacking with penetration: the State Duma intends to regulate the activities of "white hackers"

Parliamentarians have prepared a package of bills aimed at this

How to teach employees about cyber hygiene

Employees do not have sufficient vigilance, because they are not directly responsible for the consequences of a cyberattack, Denis Kuvshinov believes.

— Most attacks can be prevented with the help of basic information security tools, — the expert is sure. — But often the organization itself has an insufficiently protected infrastructure.

Kristina Burenkova believes that phishing does not attack the level of knowledge, but situational vulnerability — the human condition at the time of the attack. And here there is a complex of factors that disable rational thinking.

— A separate story is an emergency, — said Kristina Burenkova. — During the reporting period, accountants or civil servants react automatically without checking the details. Any "urgent" in such circumstances gets priority by default.

A special category is IT specialists and technical staff. Hackers send them legends about "system updates" or "security failures" — and professional automatism is triggered, which in this case plays against them.

Situations when employees, even with information security instructions, respond to phishing emails several times in a row are usually associated not so much with a lack of knowledge as with a state of psychological overload and a decrease in the basic sense of security, said Maria Todorova, a family psychologist and neuropsychologist.

"A person's attentiveness directly depends on their emotional background and level of inner stability," she stressed. — When the basic sense of security is weakened due to stress, an alarming information background, and a high workload, cognitive filters work worse. In this state, the brain often acts automatically and misses potential threats.

According to the psychologist, in conditions of overload, a person intuitively looks for signals of cooperation and social contact — this is exactly what modern phishing attacks disguised as business offers are based on. Such letters fall into a vulnerable place of the psyche: the desire to respond quickly, not to miss an opportunity, to complete a work task.