Pre-War Cyber Context

• Ukraine as Russia's cyber testing ground: Before the 2022 invasion, Ukraine had experienced nearly a decade of intensive Russian cyber operations that made it simultaneously one of the most cyber-attacked nations in the world and one of the most practically experienced in cyber defence. The 2015 and 2016 attacks on Ukrainian power distribution companies, attributed to Russia's Sandworm APT group, caused actual blackouts affecting hundreds of thousands of customers — the first confirmed cyber-induced power outages in history. The 2017 NotPetya malware attack, which spread from Ukrainian accounting software to devastate networks globally, inflicted an estimated $10 billion in damages worldwide. These experiences hardened Ukrainian cyber defenders and generated institutional knowledge about Russian offensive techniques, malware families, and operational patterns that proved invaluable once full-scale war began.
• Industry and government cyber relationship: Ukraine's strong domestic technology sector, centred on Kyiv and including major software development and cybersecurity companies, had developed close relationships with government cyber institutions in the decade before the invasion. Ukrainian cybersecurity firms had deep visibility into Russian malware campaigns through their protection of Ukrainian corporate and government networks, and this intelligence fed directly into government awareness of the Russian cyber threat. The informal but close ecosystem of relationships between private sector cyber professionals and government cyber defenders was a structural advantage that proved highly valuable when war began and the resource demands of cyber defence multiplied dramatically.
• Western cyber assistance before the war: US Cyber Command conducted a "hunt forward" operation in Ukraine in late 2021, deploying teams to hunt for malware on Ukrainian networks before the invasion. This pre-positioning of US expertise contributed to rapid detection and response capabilities when Russian cyber operations intensified in the weeks before and after the February 24 invasion. Similar bilateral assistance from UK, Estonian, and other European cyber agencies was also in place before the invasion, creating a relationship infrastructure that could be rapidly scaled when conflict began.

Russian Cyber Operations Against Ukraine

• The Viasat hack (24 February 2022): Russia's most consequential single cyber operation of the war's opening phase targeted KA-SAT, a satellite communications network operated by Viasat, approximately one hour before the invasion began on 24 February 2022. The attack deployed a wiper malware called AcidRain against modems accessing the KA-SAT network, bricking tens of thousands of modems across Ukraine and in several European countries that used the same service. The attack disrupted communications for Ukrainian military units, government agencies, and civilians, and also disrupted wind farm monitoring systems in Germany — an inadvertent demonstration of civilian infrastructure collateral damage. The Viasat attack is regarded as the most operationally significant cyber operation of the war's initial phase, though its impact was partially mitigated by the rapid deployment of Starlink as an alternative communications backbone.
• Persistent attacks on energy infrastructure: Russia's GRU military intelligence unit, operating as Sandworm, has repeatedly attempted cyber attacks on Ukrainian energy infrastructure, attempting to compound the physical damage from missile strikes with digital disruptions. A significant operation in April 2022 targeted Ukrainian energy company DTEK with the Industroyer2 malware — an evolved version of the tool used in the 2016 power attacks — in conjunction with a physical missile strike designed to prevent manual restoration of systems compromised digitally. Ukrainian CERT-UA and private cybersecurity partners detected and neutralised the Industroyer2 malware before it could trigger a blackout, a success attributed to the pre-positioned defensive improvements and improved detection capabilities developed since 2016.
• Wiperware campaigns: Russian cyber operations throughout 2022 featured extensive deployment of destructive "wiper" malware against Ukrainian government, military, and private sector networks, designed to destroy data and render systems inoperable rather than steal information. Wiper families including HermeticWiper, WhisperGate, IsaacWiper, CaddyWiper, and others were deployed in waves against Ukrainian targets. The impact of these operations was significantly limited by rapid detection, isolation of affected systems, and cloud-based backup strategies that had been adopted in anticipation of exactly this threat type. The frequency and variety of wiper deployments demonstrated Russian willingness to invest substantial operational resources in destructive cyber operations even when they produced limited strategic effect.

Ukraine's Cyber Defence

• CERT-UA and the State Service of Special Communications: Ukraine's primary governmental cyber defence structures are the Computer Emergency Response Team of Ukraine (CERT-UA), operating under the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), and the military cyber units within the broader defence establishment. CERT-UA has operated on a wartime footing since February 2022, responding to thousands of confirmed cyber incidents per year, publishing detailed technical indicators for Russian malware campaigns, and coordinating rapid response across government and critical private sector networks. The technical quality of CERT-UA's public reporting — detailed malware analysis, MITRE ATT&CK framework mappings, and IOC sharing — has become a contribution to global cybersecurity intelligence that extends well beyond Ukraine's own defence needs.
• Cloud migration as a defence strategy: One of the most consequential pre-war decisions for Ukrainian cyber resilience was the early adoption of cloud infrastructure for government data and services. Capitalising on emergency legislation passed in 2021 that allowed government data to be hosted on commercial cloud platforms, Ukraine moved critical datasets, government services, and military information systems to distributed cloud infrastructure hosted by US and European providers. When physical government server rooms in Kyiv became vulnerable to potential Russian missile strikes and seizure, the cloud-hosted systems remained operational and accessible from anywhere with connectivity. Microsoft Azure, Amazon Web Services, and Google Cloud all played active roles in this migration, with company executives making personal commitments to Ukrainian data security at the highest levels.
• Public-private cyber defence ecosystem: Microsoft, ESET, Mandiant (Google), Recorded Future, and other major cybersecurity companies have provided extensive support to Ukraine's cyber defence throughout the war, including direct technical assistance, threat intelligence sharing, and the deployment of staff to support Ukrainian government cyber teams. Microsoft's Digital Security Unit published particularly detailed tracking of Russian cyber operations targeting Ukraine, providing public attribution and technical analysis that supplemented official government disclosure. The depth of private sector involvement in a wartime national cyber defence has few precedents and has been credited by Ukrainian officials with substantially improving the defensive baseline.

IT Army of Ukraine

• Origin and organisation: The IT Army of Ukraine was established on 26 February 2022 — two days after the invasion began — via a Telegram channel created with the involvement of Ukrainian Minister of Digital Transformation Mykhailo Fedorov. The channel quickly attracted over 300,000 subscribers, primarily Ukrainian IT professionals and international volunteer hackers, providing coordinated DDoS attack targets and other cyber mission tasking through public posts. Unlike state cyber operations, the IT Army operates as a decentralised volunteer collective with state guidance but without formal organisational integration, providing Ukrainian authorities plausible distance from operations while benefiting from the mobilised capacity of a large cyber volunteer community.
• Operations and impact: The IT Army's operations have ranged from DDoS attacks against Russian government websites, banking systems, state media, and payment processors to more sophisticated operations involving data exfiltration from Russian organisations and targeted disruption of specific Russian digital services. Russian government websites experienced sustained availability disruptions particularly in the early weeks of the invasion. More significant were operations that affected Russian banking services, stock exchange systems, and communications providers, generating tangible disruption to Russian civilian and economic digital infrastructure. The impact of individual IT Army operations has been debated — DDoS is generally a temporary and recoverable disruption — but the aggregate effect of sustained operations and the intelligence value of breached Russian databases has been assessed as meaningful by independent analysts.
• Data breaches and information operations: Among the more operationally significant IT Army activities have been data exfiltration operations that produced substantial Russian government, military, and commercial databases subsequently released publicly or shared with intelligence agencies. Leaked Russian military personnel databases, financial records from sanctioned oligarchs, and internal communications from Russian government ministries have provided intelligence value for targeting economic sanctions and exposing corruption, as well as information operations value through selective release to journalists. The ethical and legal questions about operations conducted by loosely affiliated volunteers, and the risk of unintended escalation or collateral damage, have been subjects of ongoing debate among cybersecurity and international law scholars.

Ukrainian Offensive Cyber Operations

• State-conducted offensive operations: Beyond the IT Army, Ukrainian state cyber capabilities — conducted through GUR, SBU, and dedicated military cyber units — have engaged in offensive cyber operations against Russian military systems, logistics networks, and government infrastructure. The specific capabilities and confirmed operations of Ukrainian state offensive cyber are more closely held than the CERT-UA defensive efforts, but public reporting and occasional official Ukrainian statements indicate operations including the disruption of Russian military communications during critical offensive operations, interference with Russian logistics management systems in rear areas, and operations targeting Russian disinformation infrastructure. Western cyber agencies have been direct partners in building Ukrainian offensive capability in addition to defensive work.
• Railway network targeting: Ukrainian cyber operations have reportedly targeted the Russian railway network — specifically the computer systems governing freight routing and scheduling — as part of a broader campaign to disrupt Russian military logistics. The Russian railway system is a critical logistical backbone for frontline supply, and disruptions to its management systems create delays and inefficiencies in the movement of ammunition, equipment, and personnel that compound the impact of physical attacks on rail infrastructure by Ukrainian long-range weapons. The combination of kinetic and cyber pressure on Russian logistics has been a consistent feature of Ukrainian operational planning since 2022.
• Electronic warfare integration: The boundary between cyber operations and electronic warfare (EW) has blurred in the Ukraine conflict in operationally significant ways. Ukraine has developed and deployed electronic warfare systems integrated with cyber capabilities for GPS spoofing, drone communication disruption, and radio frequency exploitation that span both traditional EW and cyber domains. This convergence reflects advances in software-defined radio technology and the general computing capabilities now available in portable battlefield systems, and represents a new operational domain that conventional doctrinal distinctions between "cyber" and "EW" cannot cleanly describe.

Western Cyber Cooperation

• US Cyber Command involvement: US Cyber Command has maintained an active support relationship with Ukrainian cyber defence throughout the war, including the pre-war hunt-forward mission and subsequent classified support activities. The scope of US Cyber Command's involvement has been subject to careful public management by both the Biden and Trump administrations, seeking to provide meaningful cyber support to Ukraine while maintaining defined boundaries on direct offensive operations against Russia that could trigger escalation. Estonian, UK, and other NATO member cyber commands have also been engaged in substantive bilateral support activities, with coordination through NATO cyber governance structures ensuring information sharing and deconfliction among allied activities.
• EU cyber solidarity mechanisms: The European Union has deployed its nascent cyber solidarity tools in support of Ukraine, including the EU Cyber Rapid Response Team mechanism that deploys expert cyber teams to assist member states and associate nations facing serious cyber incidents. Ukrainian networks have been recipients of this support, with EU member state cyber experts deployed to assist in incident response for significant Russian cyber attacks. The EU Cybersecurity Agency (ENISA) has also contributed to threat intelligence sharing arrangements that provide Ukrainian defenders with visibility into Russian cyber techniques observed across Europe's broader target set.
• Commercial sector partnership formalisation: The wartime cyber defence of Ukraine has prompted a formalisation of relationships between Western commercial cybersecurity companies and Ukrainian government institutions that extends standard commercial relationships. Memoranda of understanding, emergency access arrangements for government data centres, and embedded advisory teams from major vendors have created an institutionalised public-private cyber defence partnership with no exact precedent in previous conflicts. The model — combining government cyber agencies, military cyber commands, allied partner services, and commercial security vendors in a unified cyber defence enterprise — has been studied extensively as a potential template for future comprehensive national cyber resilience programmes.

Critical Infrastructure Resilience

• Energy sector cyber-physical defence: Ukraine's energy infrastructure has been subject to simultaneous physical missile attacks and cyber operations, requiring integrated cyber-physical defence. The DTEK energy company's successful defence against the 2022 Industroyer2 attack demonstrated that even sophisticated industrial control system malware can be defeated with adequate preparation and detection capability. Ukrainian energy companies have invested heavily in operational technology (OT) network segmentation, anomaly detection systems, and manual override procedures that preserve some operational capability even when digital control systems are compromised. These investments, supported by Western partner assistance, have contributed to Ukraine's ability to maintain some power generation despite the devastation of the physical grid.
• Government services continuity: Ukrainian government digital services — including e-governance applications used for everything from military mobilisation administration to civilian benefit payments — have maintained remarkably high availability throughout the war, supported by the cloud migration architecture and redundant communication pathways established before and during the conflict. The Diia mobile application, which provides digital government services and document verification for Ukrainian citizens, has remained operational throughout the war and has been extended with wartime-specific functionality including applications for military service administration, displacement documentation, and humanitarian benefit access. Maintaining government digital service availability under the most intense cyber adversarial pressure of any peacetime or wartime environment on record is one of Ukraine's most under-appreciated digital accomplishments.
• Telecommunications resilience: Ukraine's telecommunications infrastructure has sustained extensive physical damage from missile and drone strikes but has demonstrated substantial resilience through network redundancy, rapid repair capabilities, and the Starlink satellite communication backup that has provided connectivity wherever terrestrial infrastructure has been destroyed. Russian cyber operations targeting telecommunications switching and routing infrastructure have been repeatedly detected and mitigated. Mobile operator networks have maintained service to most of Ukrainian territory, including areas close to active frontlines, enabling both military communications and civilian connectivity that has proven essential for morale, civil administration, and the maintenance of the information environment essential to Ukraine's information warfare effort.

Frequently Asked Questions