New code: hackers are twice as likely to use AI for attacks
The number of cyberattacks using artificial intelligence on Russian critical infrastructure in 2025 almost doubled compared to 2024. In particular, the Forbidden Hyena group has become more active: it uses AI to create malware that provides remote access to device management. After that, they block the infrastructure and extort money for the normalization of work. The attacks are mainly on government agencies, healthcare organizations, and housing and communal services. More information about how AI is used for attacks can be found in the Izvestia article.
How hackers use artificial intelligence
Hackers have become much more likely to attack Russian companies using artificial intelligence in 2025 - the number of such incidents has increased by 93%, cybersecurity companies told Izvestia. In particular, the Forbidden Hyena hacktivist cluster has recently become more active, which first announced itself at the beginning of last year, BI.ZONE Threat Intelligence said.
Its main objectives are Russian government agencies, as well as organizations from the fields of healthcare, energy, engineering, retail and utilities. Experts discovered the grouping's command server, on which scripts (scripts or sets of instructions written in programming languages) with signs of their AI generation were found.
One of these scripts was intended to be fixed in the victim company's system, and the other to install remote access software.
"The fact that artificial intelligence was used to generate these scripts is evident from some of the code features,— explained the head of BI.ZONE Threat Intelligence Oleg Skulkin. — Among other things, these are clear names of variables and the absence of special code obfuscation methods, which are usually used by attackers when developing tools on their own.
During the attack, the BlackReaper RAT remote access Trojan is downloaded to the victim's computer, which allows you to control the compromised device. The ultimate goal of the attackers is to block the infrastructure and demand a ransom.
Vladislav Tushkanov, head of the machine learning technology research group at Kaspersky Lab, noted that the company regularly finds traces of the use of AI for malicious purposes to generate phishing pages, write ransomware, and even software for advanced targeted cyber attacks.
"The technology is also used by groups targeting Russian organizations, such as Librarian Likho, which at the end of 2025 attacked domestic enterprises from the aviation and radio industries with an AI malware," the expert said. — We are witnessing a trend towards automating an increasing number of links in the attack chain, which can potentially increase the efficiency of attackers' operations and lower the threshold for entry into the industry.
Using a neural network simplifies and speeds up attacks, confirmed Sergey Zybnev, a leading specialist in the Bastion vulnerability management department.
"In 2026, most cyber attacks will be carried out using AI," he said. — According to foreign industry agencies, the number of such attacks in the world has increased by 70% in a year.
How AI works in the hands of intruders
The most common scenario of an attack on Russian structures using AI is phishing, when a neural network writes convincing messages on behalf of management, colleagues or relatives, said Sergey Zybnev. Currently, more than 80% of phishing emails are generated using large language models (a type of artificial intelligence program that can recognize and generate text).
As a result, even novice hackers can already carry out complex cyber attacks, said Polina Sokol, product manager of the ML technology development group at Solar Group.
"For example, it's possible to create deepfakes in real time," she said. — Hackers fake voice and video to make calls to supervisors or employees in order to authorize the transfer of funds or pass off malware as a legitimate update. Or hackers ask the AI to write not a virus, but separate pieces of code: for example, a module for covertly launching programs, stealing passwords from a browser or communicating with a server. A ready-made Trojan is assembled from these legal fragments.
In addition, hackers use autonomous AI agents that study the victim's network, look for vulnerabilities, and choose the moment to attack without human intervention.
— First of all, the industry is under attack, — the expert noted. — Next, retail and the food industry, through these areas there is a large number of transactions and personal data of customers. And hackers attack telecom and mass media to intercept traffic and data.
Healthcare is also at risk — attackers need data from the patient card to blackmail the victim.
How to protect yourself from AI attacks
Protection against attacks using AI requires not only technical, but also organizational measures, emphasized Yuri Tyurin, Technical Director of MD Audit (Softline Group).
—The priority is to strengthen multi—factor authentication, especially for financial transactions and administrative access," the expert said.
It is also necessary to regularly train employees taking into account new scenarios: deepfakes, fake voice messages, personalized letters.
— Users should understand that even a perfectly written message can be fraudulent, — said Yuri Tyurin. — On the technical side, it is necessary to introduce behavioral analysis systems, new-generation anti-phishing gateways, and monitoring of anomalies in accounts.
It is also important to minimize the amount of open corporate data, as AI actively uses such information to prepare attacks.
The best online behavior scenario is the principle of "zero trust": no one can be trusted by default, added Polina Sokol.
Переведено сервисом «Яндекс Переводчик»
