The hack is like this: every fifth Russian company has been hacked and does not know about it

Hackers are present unnoticed in the infrastructure of every fifth Russian company, cybersecurity experts told Izvestia. Prolonged covert collection of information is typical primarily for espionage and hacktivist groups and is fraught with loss of critical data and damage to reputation. How to notice their presence and what else is dangerous about such surveillance is in the Izvestia article.

How hackers hide in a company

Hackers are hidden in the computer systems of 20% of Russian companies — they collect data without impersonating themselves or disrupting processes, BI.ZONE Compromise Assessment specialists told Izvestia.

"Most of the detected cases of covert presence are attributed to groups that specialize in cyber espionage," said Vladimir Grishanov, head of the company. — Their specificity is such that in order to achieve their goals, they stay in the victim's infrastructure for a long time, quietly collecting sensitive information.

Photo: Global Look Press/IMAGO/Piero Nigro

This is how they differ, for example, from groups using cryptographers, who, as a rule, carry out attacks quickly and immediately make financial demands. Another 20% of cases of detected hidden presence in the infrastructure are attributed to hacktivists.

According to the Solar Cyber Threat Research Center for November 2025, the share of professional hacker groups in the infrastructures of Russian companies reaches 35%.

Secret passage: how hackers attack smartphones with hidden viruses

Malware is running in the background for cybercriminals

Attackers are trying to gain a foothold in the key systems of the organization. First of all, these are domain controllers, virtualization systems, and backup servers. Control over these nodes allows you to manage accounts and influence the entire IT infrastructure of the company.

Photo: IZVESTIA/Sergey Konkov

According to the Threat Zone 2026 study, 37% of all attacks targeting Russian organizations are carried out for espionage purposes. Spies actively use legitimate tools, as well as malware of their own design. All this allows them to bypass security measures more effectively and remain unnoticed for longer.

How intruders infiltrate a company

"There are a lot of methods and tools for penetrating the infrastructure, but two vectors remain unchanged," says Konstantin Melnikov, head of the Department of Special services at Infosecurity. — The first one is technological. This is the identification of vulnerabilities in systems, sites, and code. They follow this path as pentest specialists (legal penetration testing. — Ed.), and intruders: they try to hack the system and find a weak spot.

At the same time, social engineering methods can be used: for example, hackers leave flash drives at the office in the expectation that one of the employees will find and connect them to a computer.

— The second vector is social, — the expert emphasized. — This is working with people: deception, blackmail, phishing, malware distribution. A mixed approach stands out separately — OSINT (collecting information about an object). The victim may be an employee of the organization. It's not uncommon for people to use the same simple passwords everywhere, so hackers find the password to their personal email and use it to access their corporate account. As a result, the attacker gets access "legally" without breaking into the perimeter.

Photo: IZVESTIA/Pavel Volkov

As an example, the expert cited a case from practice: hackers compromised the mail of an ordinary engineer, studied the correspondence and on his behalf asked the administrator to grant access for tests. He violated the rules and provided it.

According to Denis Kuvshin, head of the Threat Intelligence department at the Positive Technologies security expert center, hackers also get through phishing emails that are sent to employees. They usually contain a malicious load in the form of a file or link.

"Hackers can also exploit the connectivity of networks between the target organization and the contractor," he explained. — To do this, they first compromise the contractor's network of a large company.

Attackers hide inside the system in various ways, Denis Kuvshinov added. For example, they use legitimate file names, use system administration tools instead of their own malware, and work inside the infrastructure only at night.

Photo: IZVESTIA/Polina Violet

To hide their location, attackers mask traffic through a VPN or proxy connection, substitute MAC addresses or use non-standard ports, added Natalia Quereng, a leading cybersecurity consultant at Infosecurity.

"It's not easy to suspect an attacker in the IT infrastructure, modern hackers try to act covertly," the expert noted. — Among the main signs are anomalies in accounts. Another group of signs is related to "oddities" in the operation of the network and equipment.

For example, a sudden slowdown in the Internet or an unusually high outgoing traffic, the computer slows down or is very hot in idle time, as well as the spontaneous shutdown of the antivirus or firewall.

Letters of Misfortune: how government employees are being deceived by hackers

One of them opened the attackers' emails five times, and the other sent a malware file to his colleagues, asking them to help open it.

How to suspect a "mole"

The activation of security solutions, as well as the presence of anomalies, can help to suspect the presence of intruders in the system, said Stanislav Pyzhov, head of the analysis group at the Solar 4RAYS Cyber Threat Research Center.

— For example, abnormal logins: atypical time, unusual geography, several countries in a short period of time, — the expert noted. — As well as accounts that access resources that have never been accessed before, spikes in outgoing traffic, especially at night or on weekends, the appearance of new accounts with administrator rights, disabling or changing antivirus and logging settings.

Photo: IZVESTIA/Sergey Lantyukhov

According to Stanislav Pyzhov, the risks of long-term presence are growing rapidly over time. If in the early days there is usually exploration, network exploration and collection of credentials, then in the following weeks, attackers can move horizontally in the infrastructure and gain a foothold on key nodes.

Further, they can gain full control over the infrastructure, steal confidential data and strengthen their presence, for example, by embedding themselves in docker containers (isolated environments for running applications. — Ed.). And then, at any moment, attackers can cause maximum damage — encrypt all critical data, which will lead to a partial or complete shutdown of the company, or publish confidential data.

To protect themselves, companies should set up an audit of information security events on all computers in the infrastructure, organize centralized collection and monitoring of incoming data with tracking of triggered correlation rules, said Kirill Mitrofanov, head of the Cyber Threat Intelligence analytics team at Kaspersky Lab.

Photo: Global Look Press/IMAGO/Steidi

Also, one of the ways to identify potentially malicious behavior in the infrastructure is to implement a cyber threat search process. It is based on the formation of hypotheses about infrastructure compromise, when work is carried out in the paradigm that the company has already been hacked and evidence of malicious behavior needs to be found by monitoring the data streams of network and host telemetry.