Skip to main content
🔴 LIVE — Day 1516 of the full-scale invasion  |  Latest: Frontline Dynamics — March 2026 Analysis

Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion

By · Technology & OSINT Analyst · 9 min read

Red teaming—where security specialists simulate the tactics, techniques, and procedures of real adversaries to identify vulnerabilities before actual attackers exploit them—is among the most effective security assessment methodologies for critical infrastructure. Unlike traditional penetration testing that focuses on finding specific vulnerabilities, red team exercises simulate complete attack scenarios from initial access through impact, testing detection, response, and recovery capabilities holistically. For Ukrainian critical infrastructure—electricity generation and distribution, water treatment, financial systems, communications—red team exercises conducted before the 2022 invasion provided insights whose value proved measurable when actual attacks occurred.

Pre-War Red Team Exercises

Beginning in 2015 following the first successful cyberattacks on Ukrainian power infrastructure, international partners began supporting red team exercises across Ukrainian critical infrastructure sectors. The US Cyber Command's Hunt Forward Operations included a red team component, while CISA's advisors and contractor teams conducted assessments at Ukrainian energy and water utilities. These exercises identified systemic issues that remained only partially remediated before the 2022 invasion: poor network segmentation between IT and OT environments, default credentials on industrial control system interfaces, unpatched internet-facing systems, insufficient logging on OT networks, and inadequate backup and recovery capabilities for OT systems. The 2022 Industroyer2 attack targeted an energy operator that had participated in pre-war exercises—awareness from those exercises contributed to the detection that enabled CERT-UA to prevent the attack from executing.

ICS/OT Red Teaming Methodology

Red Team PhaseICS/OT Specific ConsiderationSafety ConstraintTypical Finding
ReconnaissanceShodan/Censys OT asset discoveryNo active scanning of live OTInternet-exposed HMIs, historians
Initial access (IT)Phishing, VPN brute-forceStandard IT limits applyWeak credentials, no MFA
IT-to-OT pivotDual-homed systems, shared accountsNo actual OT changesFlat network, shared credentials
OT network explorationPassive asset discovery, traffic analysisRead-only, no command sendingUndocumented assets, legacy systems
Impact simulationDocument what attacker could achieveNever send control commands to live systemsIdentified attack paths to disruptive actions

CISA Red Team Methodology

CISA's (US Cybersecurity and Infrastructure Security Agency) critical infrastructure red team program uses a structured methodology that has been adapted for international engagements including Ukraine. CISA's operators follow a "assume breach" scenario—starting from the perspective of an adversary who already has initial access, reflecting the realistic threat posture of organizations like Ukrainian energy operators where Russian APTs have maintained historical presence. The exercises specifically test detection capability (will the SOC detect lateral movement?) and response procedures (will the IR team follow the right steps?) as much as they test technical vulnerabilities. CISA's findings from international engagements feed into anonymized best practice guidance published as ICS advisories and sector-specific recommendations, creating a global knowledge base from individual assessments.

Wartime Assessment Challenges

Conducting red team exercises during active warfare presents obvious challenges: security personnel have higher-priority operational tasks, system changes during active defense of systems create moving assessment targets, and the ethical calculus of intentionally degrading detection sensitivity (a normal red team practice) during live attacks is problematic. Wartime critical infrastructure security assessment therefore shifted toward purple team methodologies—collaborative exercises where red and blue teams work together to test specific detection scenarios, with the blue team observing attack simulations and verifying their detection tools correctly fire the expected alerts. Purple teaming provides detection validation without the operational security risk of actual adversarial simulation when defenses are genuinely stressed by ongoing attacks.

Post-War Security Audit Planning

Ukraine's post-war critical infrastructure reconstruction includes comprehensive security auditing as a prerequisite for EU accession sector requirements and international reconstruction funding. Post-war audits will face a distinctive challenge: many systems will be rebuilt during reconstruction, making pre-war vulnerability assessments moot, while newly deployed reconstruction infrastructure (new power generation equipment, rebuilt telecommunications networks, new water treatment systems) will require security assessments before going live. International partners—US, EU member state security agencies, NATO—have committed to providing post-war critical infrastructure security assessment support, with the goal of ensuring rebuilt Ukrainian infrastructure meets international security standards from initial deployment rather than retrofitting security onto already-deployed systems.

FAQ

What is the difference between red teaming and penetration testing?
Penetration testing focuses on finding specific technical vulnerabilities in defined scope. Red teaming simulates a complete adversary campaign—from initial reconnaissance through impact—testing not just technical vulnerabilities but detection, response, and recovery capabilities against a realistic adversary simulation. Red team scope is typically broader and the engagement more prolonged.
Why is OT/ICS red teaming different from IT red teaming?
OT/ICS systems control physical processes where errors can cause physical harm or dangerous conditions. Red teams must operate under strict safety constraints: no sending commands to live control systems, preference for passive discovery, simulation of impact scenarios in documentation rather than actual execution. This requires specialized OT security knowledge beyond typical IT red team skills.
What is purple teaming?
Purple teaming is a collaborative security assessment where red team operators demonstrate attack techniques while the blue team (defenders) observes, verifies that detection tools correctly fire, and validates response procedures. Unlike traditional red vs. blue adversarial exercises, purple teaming focuses on joint learning and detection validation rather than competitive scoring.
What was found in pre-war Ukrainian energy sector red team exercises?
Pre-war exercises consistently found: poor IT/OT network segmentation, default or weak credentials on industrial control systems, unpatched internet-facing systems, insufficient audit logging for OT network activity, and inadequate backup/recovery for OT systems. Many findings were partially remediated but the volume of vulnerabilities exceeded remediation capacity before the invasion.
How do red team findings inform defensive improvements?
Red team reports prioritize findings by severity and exploitability, providing specific remediation guidance and enabling defenders to prioritize patching, segmentation, and detection improvements based on real exploitation paths. CISA publishes anonymized sector-level findings as ICS advisories, enabling organizations that haven't been directly assessed to benefit from others' red team learnings.

Sources

  1. CISA, "Critical Infrastructure Red Teaming Methodology," ICS Advisory, 2022
  2. ESET, "Industroyer2 Technical Analysis," 2022
  3. Dragos, "Ukraine ICS Threat Landscape," 2022-2023
  4. E-ISAC, "Critical Infrastructure Red Team Lessons Learned," 2022
  5. NIST SP 800-115, "Technical Guide to Information Security Testing and Assessment"

Cyber Operations Analysis: Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion

The Russia-Ukraine conflict has generated the most comprehensively documented state-sponsored cyber operations in history, with Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion representing a significant dimension of this digital warfare environment. Cyber attacks have targeted Ukrainian government systems, critical infrastructure, financial institutions, and military communications since well before the physical invasion began in February 2022. Understanding the technical characteristics, attributable actors, and strategic effects of cyber operations related to Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion provides essential context for assessing both immediate operational impacts and broader implications for cyber conflict doctrine.

Russian state-sponsored threat actors including Sandworm (GRU Unit 74455), APT28/Fancy Bear (GRU Unit 26165), Cozy Bear/APT29 (SVR), and Turla (FSB) have conducted sustained campaigns against Ukrainian and allied targets with objectives spanning espionage, sabotage, and influence operations. Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion intersects with this threat actor ecosystem in specific ways, whether through the deployment of particular malware families, targeting of specific sectors, or employment of novel techniques that reveal evolving adversary capabilities and intentions.

Ukraine's cyber defense architecture, significantly strengthened with Western assistance through programs including the EU's Cyber Resilience for Ukraine project and bilateral cooperation with US Cyber Command, has demonstrated growing resilience against Russian operations. The Ukrainian Computer Emergency Response Team (CERT-UA) has published hundreds of threat intelligence advisories, contributing to global understanding of Russian cyber tactics, techniques, and procedures (TTPs). Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion informs this evolving defensive picture, highlighting areas where Ukrainian defenses have proven effective and where vulnerabilities remain.

The strategic calculation surrounding cyber operations related to Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion involves complex trade-offs between operational effect, attribution risk, and escalation management. Russia's decision to employ destructive wiper malware, distributed denial-of-service attacks, and infrastructure-targeting operations reflects a calibrated use of cyber as a coercive instrument alongside physical military operations. The international response—including intelligence sharing, cyber defense assistance, and potential offensive cyber operations by allied nations—shapes the cost-benefit calculations of Russian cyber strategists.

Lessons for Global Cybersecurity Policy

The cyber dimensions of the Russia-Ukraine conflict represented by Critical Infrastructure Red Teaming: Testing Ukraine's Defenses Before and After Invasion have generated critical lessons for national cybersecurity strategies worldwide. The importance of pre-positioning defensive measures before conflict onset, the value of international cyber defense cooperation frameworks, the role of private sector cybersecurity companies in supporting national defense, and the limitations of cyber operations as a strategic coercive tool have all been illuminated by Ukrainian experience. These lessons are reshaping cybersecurity investment priorities, information sharing architectures, and incident response frameworks across NATO and partner nations.

Frequently Asked Questions

What are the main Russian cyber attacks on Ukraine?

Russia has conducted sustained cyber operations against Ukraine since at least 2014, with a major escalation in February 2022. Key campaigns include the NotPetya attack (2017), attacks on energy infrastructure, the Viasat hack at war's start, and continuous operations against government, military, and civilian targets throughout the full-scale invasion.

How has Ukraine defended against Russian cyber attacks?

Ukraine's cyber defense has benefited from pre-invasion preparation, Microsoft and Western tech company assistance, CERT-UA operations, and the support of allied intelligence services. Ukraine developed significant cyber resilience by distributing government data to cloud infrastructure before the invasion.

What is the role of cyber warfare in the Ukraine conflict?

Cyber warfare in the Ukraine conflict operates alongside conventional military operations. Russia uses cyber attacks to disrupt infrastructure, spread disinformation, and support physical strikes, while Ukraine has developed offensive cyber capabilities to target Russian systems, including oil and gas infrastructure and military networks.

Who are the main cyber actors targeting Ukraine?

Russian state-affiliated cyber groups targeting Ukraine include Sandworm (GRU), APT28 (GRU), APT29 (SVR), Turla (FSB), and various GRU units. Ukrainian cyber forces, international volunteer hacker groups (IT Army of Ukraine), and allied intelligence cyber units operate on the Ukrainian side.

What can other countries learn from Ukraine's cyber defense?

Ukraine's cyber defense offers critical lessons: distributed cloud infrastructure reduces vulnerability to physical and cyber attacks, international information sharing accelerates threat response, pre-conflict preparation matters enormously, and the integration of civilian tech expertise with military cyber operations creates strategic advantages.

Related Articles