Conflict & Security
Inside the FrostyNeighbor cyber campaign hitting Eastern Europe
A decade-old hacking group is escalating its strikes on Ukraine, Poland and Lithuania, and AI may make the next wave faster and harder to stop.
![A photo shows a fragment of a screen at the Ukrainian Security Service headquarters in Kiev on March 6, 2019. [Sergei Supinsky/AFP]](/gc6/images/2026/07/07/56876-afp__20190317__1eq906__v1__highres__ukrainerussiapoliticsmassmediavotecomputers-370_237.webp)
By Olha Hembik |
A Ukrainian civil servant opens what looks like a routine notice from the national telecom company. The attached file checks out. Seconds later, hidden malware logs every detail of the machine and beams it to a server abroad, and a Kremlin-linked crew decides whether this target is worth watching.
That scene is playing out across Eastern Europe. Hackers working in Russia's interest are hitting state agencies, military offices and critical infrastructure online. The hybrid war runs hardest against three countries: Ukraine, Poland and Lithuania.
Since March, the Belarusian group FrostyNeighbor, also called Ghostwriter and UNC1151, has run a fresh cyberespionage campaign against Ukrainian state institutions. ESET, an international cybersecurity company, ties the group to the Belarusian government. Other researchers say some of its operations also serve Russian interests. FrostyNeighbor has operated for at least a decade and ranks among the most active hacking groups in the region.
Ukrainian users under threat
The hackers bait their targets with decoy documents. In one case, they disguised phishing emails and PDF files as a notification from the Ukrainian telecom company Ukrtelecom. The message carried a link to what looked like an official file.
![An employee shows a screen at the Ukrainian Security Service headquarters (SBU) in Kiev on March 6, 2019 during the joint EU-Ukraine cyber security drills. [Sergei Supinsky/AFP]](/gc6/images/2026/07/07/56877-afp__20190317__1eq8zr__v1__highres__ukrainerussiapoliticsmassmediavotecomputers-370_237.webp)
If the system confirmed the user sat in Ukraine, the victim received an archive containing a malicious JavaScript file. Opening it displayed a real document to keep the victim calm. Out of sight, the PicassoLoader malware installed itself. The tool harvested the username, computer name, operating system version, boot time and a list of running processes, then sent that data back to the attackers' servers on a regular schedule.
The hackers next judged whether the victim mattered. If so, they deployed a Cobalt Strike-based tool for remote access, exposing the user's every move.
Oleksiy, a Ukrainian hacktivist who goes by the handle Reaper, sees a direct Kremlin order behind the activity.
"There are entire units of people with badges doing this for state money. Their goal is to gather intelligence information," he told Kontur.
He pointed to Fancy Bear and Cozy Bear, Russian cyberespionage groups operating under the patronage of Russia's Foreign Intelligence Service. Through phishing campaigns and corporate surveillance, he said, these "hackers with badges" gather intelligence for Russia. They mine internal documents and details about how agencies run, then feed the material into future cyberattacks, hybrid operations and political pressure.
Oleksiy spelled out the stakes. Access to state systems hands attackers strategically important information. Breaching quasi-military entities lets them track decisions, including troop transfers and how forces line up along the front. Even a record of everyday purchases, he added, can reveal plenty.
Poland's infrastructure in crosshairs
Russia's reach extends to Poland and Lithuania, which Oleksiy links to their firm support for Ukraine.
One of Poland's largest cyberattacks struck in the final days of 2025, when Russian state-linked hackers went after the energy sector. The assault hit more than 30 wind and solar plants, plus a thermal station that heats nearly 500,000 people. The hackers aimed to cripple the infrastructure by damaging control systems. Defenders stopped them.
The pressure is relentless. CyberDefence24 logged 620,000 cyberattacks on Poland last year, most aimed at utilities and municipal systems. Poland's Ministry of Digital Affairs has called such attacks a key weapon against critical infrastructure and said it is building defenses to counter "attacks by the Russian Federation and other territorial entities that are carrying out hostile actions in cyberspace."
"At the height of the Russia-Ukraine war, online security is the foundation of Poland's national security," said Artur Wojdygo, a computer technology expert and volunteer at the Asymetryści foundation. He told Kontur that defense now demands state money at every level, from small firms to large corporations, and that security is becoming part of corporate culture.
The damage reaches ordinary people. On May 3, the Polish medical laboratory chain Optimed reported a breach of part of its IT systems. A preliminary analysis pinned it on an organized cybercrime group from Belarus. The company warned that hackers may have reached patients' full names, birth dates, home addresses and health records, including lab results, and urged patients to treat suspicious messages with caution.
A new kind of warfare
Lithuania took a hit, too. On May 25, LRT.lt reported that thieves stole more than 600,000 records from the Lithuanian Center of Registers, the state agency that manages property data.
Laurynas Kasčiūnas, leader of Lithuania's conservative opposition, wrote on Facebook that the leak may have exposed confidential details on intelligence officers, military personnel, politicians, diplomats and civil servants. The incident, he wrote, "bore the hallmarks of a Russian intelligence operation."
ESET traced FrostyNeighbor's previous burst of activity to 2024 and found this year's campaign more carefully planned. The next leap may come from artificial intelligence (AI).
Nikita Gladkikh, an AI expert, expects attackers to grow more capable as the technology advances. Within a few years, he said, AI-driven attacks will increasingly hit popular platforms such as Discord and YouTube.
"This could spawn a new form of cyber warfare, where attacks will happen almost immediately and autonomously," he told Kontur. Only defenses that also run on AI and react just as fast will hold, he said, calling the shift a coming "major challenge for global security."
ESET expects FrostyNeighbor to keep sharpening its methods as the hybrid war grinds on. Its appetite for state targets and strategic assets in Eastern Europe will only grow.