Russian hackers are increasingly attempting to regain access to computer systems they previously compromised, Ukraine’s cyber incident response team (CERT-UA) said, warning that earlier breaches are often being used as footholds for follow-up operations.

In a new report, CERT-UA said attackers are revisiting previously breached infrastructure to check whether access is still available, whether exploited vulnerabilities have been patched and whether previously obtained credentials remain valid.

“Unfortunately, these attempts sometimes succeed if the root cause of the initial incident has not been completely eliminated,” the researchers said.

The trend reflects a broader shift in attackers’ tactics during 2025. In the first half of the year, many cyber incidents relied on a “steal-and-go” approach, in which attackers deployed malware designed to quickly collect credentials or other sensitive data before leaving the system to avoid detection.

But in the second half of the year, researchers observed a growing focus on maintaining long-term access to compromised networks.

CERT-UA said the strategy allows threat actors to maximize the value of successful breaches by returning later to expand access, conduct espionage or support other phases of cyber operations.

Researchers also observed changes in how attackers initially gain access to Ukrainian networks. Traditional phishing emails and malicious attachments are becoming less effective as organizations become more aware of common cyber threats, CERT-UA said.

Instead, attackers are increasingly relying on sophisticated social engineering tactics designed to build trust with victims. In many cases, hackers contact targets directly by phone using Ukrainian mobile numbers and legitimate messaging accounts, speaking fluent Ukrainian and demonstrating detailed knowledge about the individuals or organizations they are targeting.

Only after establishing trust through phone calls or video chats do attackers send malicious files through messaging apps, significantly increasing the chances that victims will open them.

According to CERT-UA, Russia-linked hacking groups including APT28, also known as Fancy Bear, and the threat actor tracked as Void Blizzard have used this technique in attacks against members of Ukraine’s armed forces and government institutions.

Despite the evolution in tactics, the report noted that the overall number of cyber incidents declined in the second half of 2025 compared with the first — the first such drop since Russia’s full-scale invasion began.

Researchers said the decrease may indicate that Ukrainian organizations are gradually adapting to the threat environment and improving their defenses.

The security and defense sector remains the primary target, CERT-UA said, because disrupting or infiltrating those networks could directly influence the course of the war.