Cyber Aid Packages to Ukraine: Building Digital Resilience Under Attack

Russia's war against Ukraine has been fought simultaneously in the physical and digital domains. Russian state-sponsored cyber actors — including Sandworm (GRU Unit 74455), APT28, and Cozy Bear — launched sustained campaigns against Ukrainian government systems, critical infrastructure, and military networks. The Western cyber response — coordinated across US, UK, EU, and NATO channels — represents the most extensive documented cyber defense assistance to any nation in history, providing Ukraine with detection capabilities, incident response support, intelligence sharing, and technical training that substantially raised the cost of Russian cyber operations.

US CISA and Cyber Command Assistance

The US Cybersecurity and Infrastructure Security Agency (CISA) deployed "hunt teams" — small groups of expert cyber analysts — to Ukraine to conduct network defense analyses before the full-scale invasion and continued coordinating assistance after. These teams work alongside Ukrainian government cyber personnel to identify vulnerabilities, hunt for adversary presence in networks, and improve detection and response capabilities. US Cyber Command (USCYBERCOM) under its "Defend Forward" doctrine engaged in cyber activities in support of Ukraine — the full details of which remain classified, but the existence of active US cyber engagement supporting Ukraine was publicly confirmed by USCYBERCOM leadership. USAID and the State Department separately channeled over $50 million in cyber assistance funding to Ukraine through 2022–2024, covering personnel training, security tools, and institutional capacity building.

UK NCSC: Strategic Engagement

The UK's National Cyber Security Centre (NCSC) — part of GCHQ — signed a cyber cooperation agreement with Ukraine's State Service of Special Communications and Information Protection (SSSCIP) early in the conflict. UK-Ukraine cyber cooperation includes threat intelligence sharing under established bilateral frameworks, technical assistance for specific incident response cases, training for Ukrainian cyber defense personnel, and joint public attribution of Russian cyber operations. The UK has been particularly active in publicly naming Russian cyber actors responsible for attacks on Ukrainian infrastructure, providing diplomatic and legal record-building for potential accountability processes. UK NCSC representatives have given public statements explicitly crediting close cooperation with Ukrainian counterparts as producing intelligence benefits for UK domestic defense as well — demonstrating the reciprocal nature of cyber defense partnerships.

EU ENISA and the Cyber Solidarity Act

The European Union Agency for Cybersecurity (ENISA) enhanced information sharing with Ukraine's cyber authorities under the auspices of the EU-Ukraine Association Agreement and subsequent cyber cooperation protocols. The EU's Cyber Solidarity Act — accelerated partly by the Ukrainian cyber situation — established EU-level cross-border Security Operations Centres (SOCs) that can provide surge capacity assistance to member states and associated partners facing major cyber incidents, with Ukraine as a direct beneficiary of the broader architecture. The EU CYBER DIRECT program specifically funded cyber capacity building in Ukraine. EU member states including the Netherlands, Estonia, and France provided bilateral targeted cyber assistance to Ukrainian agencies beyond the ENISA-level coordination.

NATO CCDCOE: Training and Exercise

NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia — the alliance's dedicated cyber defense research and training center — significantly expanded its Ukraine engagement after February 2022. Ukraine had been given Contributor Nation status at CCDCOE in 2022, enabling greater access to the center's activities. The Locked Shields cyber defense exercise — the world's largest live-fire cyber defense exercise, run annually by CCDCOE — included Ukrainian teams and used scenarios based on actual Russian attack patterns observed in Ukraine. CCDCOE's legal researchers also contributed to ongoing work on applying international law to cyber operations — relevant to documenting Russian cyber attacks as possible violations of international humanitarian law.

Ukraine's Own Cyber Defense Capacity

It would be a serious error to portray Ukraine as only a recipient in this cyber relationship. Ukraine's own cyber community — the SSSCIP, the Cyber Police, and a vibrant private cybersecurity sector — developed substantial defensive capabilities before and during the conflict. The IT Army of Ukraine — crowds of volunteer hackers — conducted offensive-leaning activities against Russian targets, though this is distinct from the state-level defensive work supported by Western partners. Ukrainian cyber professionals' experience dealing with years of Russian attacks since 2014 — including the NotPetya attack of 2017 — had produced battle-hardened expertise that Western partners explicitly valued. The partnership is genuinely bidirectional: Ukraine provides operational threat intelligence on Russian TTPs (tactics, techniques, and procedures) of considerable value to Western cyber defense.

Frequently Asked Questions

Has Russia's cyber offensive against Ukraine been effective?

Less effective than many pre-war assessments predicted. While Russia launched numerous significant attacks — including Viasat satellite hack (Feb 24, 2022), multiple Sandworm attacks on power infrastructure, and government network intrusions — Ukraine's defenses, bolstered by Western assistance and cloud migration of critical systems, prevented the strategic-level disruption Russia sought. Most attacks caused disruption but not catastrophic or irreversible damage.

What did the Viasat attack achieve?

The 24 February 2022 attack on Viasat KA-SAT satellite modems disrupted Ukrainian military communications at the invasion's outset and also knocked out internet for thousands of European customers. It was one of the most geographically broad hacking incidents in history but Ukraine rapidly transitioned to Starlink, substantially mitigating long-term impact.

Has Russia attacked Western cyber infrastructure as retaliation?

Yes — Russian cyber actors have attacked government, energy, transport, and media targets across NATO countries, particularly Baltic states, Poland, Germany, and the UK. NCSC and CISA have jointly attributed multiple campaigns to Russian GRU and SVR units. These attacks have generally caused disruption but not catastrophic damage to Western infrastructure.

What is "Defend Forward" and how does it apply to Ukraine?

USCYBERCOM's "Defend Forward" doctrine involves deploying cyber capabilities to disrupt adversary operations before they reach US networks — essentially, offensive-defensive cyber operations on adversary infrastructure. In the Ukraine context, this means US Cyber Command has taken active measures against Russian cyber infrastructure to degrade its ability to attack Ukraine, as confirmed by USCYBERCOM's commander.

What is the Locked Shields exercise?

Locked Shields is an annual NATO CCDCOE exercise that is the world's largest and most complex live-fire cyber defense exercise. Teams of experts from NATO nations defend simulated national IT systems against realistic attack scenarios. Since 2022, Ukrainian teams participate and exercise scenarios draw on real Russian attack methods and tactics used against Ukraine.

Sources

1. CISA, "CISA Support to Ukraine," cisa.gov, 2024.
2. UK NCSC, "NCSC-Ukraine Cooperation Reports," ncsc.gov.uk, 2024.
3. NATO CCDCOE, "Ukraine as Contributor Nation," ccdcoe.org, 2023.
4. SSSCIP Ukraine, "Ukrainian Cyber Defense Report," cert.gov.ua, 2024.
5. Microsoft Digital Defense Report, "Nation-state Cyber Activities: Ukraine," microsoft.com, 2023.