Russian Cyber Campaign Overview

Russia's cyber campaign against Ukraine involved at least six distinct APT (Advanced Persistent Threat) groups under GRU and FSB oversight: Sandworm (most destructive), Gamaredon (espionage), APT28 (Fancy Bear, phishing), Turla (FSB), UNC2589, and others. The coordination between cyber and kinetic operations — attacking power grid cyber the night before missile strikes — was a genuine tactical innovation.

Cloud Migration — Government in the Cloud

• Ukraine's most consequential pre-invasion cyber decision: the 2021–2022 Diia app and broader government data migration to cloud (Amazon AWS, Microsoft Azure, Google Cloud) moved critical government data off Ukrainian-based servers before invasion began
• When Russian forces occupied government buildings in Kherson, Mariupol, and other cities, they found server rooms stripped or powered down; essential government data was already in cloud, inaccessible to Russian occupation authorities
• The "Government in a Box" concept: Ukraine created the ability to operate entire ministry functions from any location with internet access; government continuity was maintained even when physical ministry buildings were destroyed or occupied
• The Diia app — Ukraine's digital government platform combining ID documents, land registry, social payments, and state services in a single mobile app — became a model for wartime government resilience; citizens receiving social payments and accessing services via smartphone even in active war zones
• Microsoft's support was substantial: Microsoft Threat Intelligence Center (MSTIC) pre-positioned cyberdefence teams in Ukraine; Microsoft moved Ukrainian government data to European cloud data centres before the invasion; Microsoft has published detailed public threat intelligence on Russia's cyber operations against Ukraine

Starlink and Communications Resilience

• The Viasat attack on 24 February 2022 demonstrated Russia's intent to destroy Ukrainian satellite communications; within hours, Elon Musk had activated Starlink coverage for Ukraine and shipped thousands of terminals
• Starlink became the backbone of Ukrainian military communications in extended areas without fixed infrastructure; forward positions, mobile command posts, and drone operators used Starlink for connectivity when cellular and military radio systems were disrupted or jammed
• Russia's response — electronic warfare jamming of Starlink signals — was initially partially effective in some areas; SpaceX updated firmware multiple times to counter Russian jamming, demonstrating the adaptive resilience of the system
• By 2023–2024, approximately 40,000–50,000 Starlink terminals were in operation in Ukraine (military and civilian combined); the US, UK, and European donors paid for significant tranches of military terminals; this made Starlink arguably the most impactful single communications technology contribution to the war
• Concerns about Starlink dependence: Ukraine has sought to diversify satellite communications (IRIS² EU satellite constellation planning, UK Eutelsat agreements, national military satellite considerations) to avoid over-reliance on a single commercial provider whose continuity depends on US policy and the decisions of a single corporate owner

Private Sector and Allied Support

• Western tech companies provided unprecedented wartime cyber support: Microsoft (threat intelligence, cloud migration, vulnerability sharing), Google (Project Shield DDoS protection, Mandiant integration post-acquisition), Amazon (AWS data migration for government), Cloudflare (DDoS protection for Ukrainian media/government), ESET (malware detection — Slovak AV firm with deep Ukraine presence), SentinelOne, CrowdStrike
• NATO CCDCOE (Estonia): deployed rapid reaction cyber defence teams to Kyiv; provided incident response expertise; shared intelligence on Russian APT tools and indicators of compromise
• Five Eyes intelligence sharing: US Cyber Command (USCYBERCOM) and NSA shared real-time intelligence on Russian cyber operations with their Ukrainian counterparts, providing weeks of warning in some cases before cyber attacks
• EU Cyber Rapid Response Teams (EU CRRTs): Lithuania and other Baltic-led teams provided on-site technical assistance to Ukrainian government ministries
• The collective response demonstrated a new model for wartime cyber defence: a public-private coalition of government agencies, tech companies, and allied experts operating at a pace commensurate with the threat

Ukrainian Offensive Cyber

• Ukraine has not publicly attributed specific offensive cyber operations to government actors — maintaining plausible deniability — but multiple operations have been linked to Ukrainian intelligence or aligned groups
• Recorded Future, Microsoft, and other threat intelligence firms have documented operations targeting Russian government networks, state media, and military logistics systems attributed to Ukrainian or Ukraine-aligned actors
• Notable operations: data exfiltration from Russian government agencies; temporary disruption of Russian state media broadcasts; leaking of Russian conscription and military deployment records; targeting of Russian financial services
• GUR (Ukrainian military intelligence) has been identified as operating an offensive cyber capability alongside its broader intelligence and special operations mandate; the unit's activities have included operations inside Russia targeting information critical to Ukrainian military planning

The IT Army of Ukraine

• Ukraine's Ministry of Digital Transformation announced the creation of the "IT Army of Ukraine" on 26 February 2022 — a volunteer cyber force using a Telegram channel to coordinate DDoS (distributed denial of service) and other attacks on Russian targets
• The IT Army reached 300,000+ members at peak; it conducted DDoS attacks on Russian government websites, financial institutions (affecting Sberbank, VTB, Russian Central Bank websites), rail booking, and state media
• Assessment: DDoS campaigns against Russian targets produced temporary disruptions rather than lasting damage; Russia's government infrastructure is largely decoupled from public internet; the IT Army's value was more morale/signalling (Ukraine fights back) than operational; some defence analysts worry that encouraging volunteer hackers blurs laws of armed conflict boundaries
• By 2024–2025 the IT Army had shifted toward more targeted, intelligence-informed operations rather than mass DDoS; cooperation with Ukrainian intelligence has increased the sophistication of selected operations

Global Lessons

• Cloud first is resilience first: Ukraine's survival of the opening cyber salvo is directly attributable to the decision to move government data to cloud before invasion; this is the single most exportable lesson for other governments facing hybrid/cyber threat environments
• Speed matters: The Viasat-to-Starlink transition in hours (not days) showed that pre-planned continuity arrangements and rapid industry response can offset catastrophic disruptions; relationships between government and industry must be pre-built, not improvised under fire
• Cyber and kinetic are integrated: Russia's best cyber operations (power grid attacks) were coordinated with kinetic strikes to compound confusing and damage; defenders must assume adversaries will do the same and plan for simultaneous cyber/physical disruption
• Open cyber cooperation works: The unprecedented collaboration between Ukraine, Western governments, NATO structures, and private sector firms under wartime conditions has produced faster threat intelligence sharing than any peacetime framework; formalising multi-stakeholder wartime cyber coalitions is a priority lesson for NATO planning
• Defensive cyber is achievable: Russia's cyber operations, while extensive, failed to achieve decisive strategic effects; a combination of preparation, resilience architecture, and rapid response can degrade even a tier-1 adversary's cyber effectiveness — this challenges the prevailing assumption that cyber offence has an unbeatable inherent advantage over defence

Frequently Asked Questions