Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire
A Security Operations Center (SOC) is a facility—physical or virtual—where trained security analysts monitor, detect, analyze, and respond to cybersecurity events on an ongoing basis. SOCs serve as the operational nerve centers of an organization's cyber defense, integrating security information and event management (SIEM) systems, endpoint detection and response (EDR) platforms, threat intelligence feeds, and analyst expertise into a continuous defense capability. Operating a SOC during active warfare—with staff potentially displaced, facilities potentially targeted, power intermittent, and the incident volume extraordinarily high—represents one of the most demanding operational security challenges imaginable. Ukraine's experience has generated practical lessons about SOC resilience in extreme conditions.
Ukraine's SOC Landscape
Ukraine's SOC ecosystem spans government, military, and private sector organizations. The National Coordination Centre for Cybersecurity (NCCC) within the National Security and Defense Council serves as a national-level coordination function—it does not itself operate a traditional 24/7 analyst SOC, but coordinates between the sector-specific SOCs and CERT-UA, provides policy direction, and serves as the crisis coordination mechanism during major incidents. CERT-UA operates the national government SOC function, handling incident response for government agencies. Major private sector and telecoms operators maintain their own SOCs: Kyivstar (Ukraine's largest mobile operator), Vodafone Ukraine, and Lifecell all operate SOCs managing security for millions of subscribers. Financial sector SOCs—operated by major banks including PrivatBank and Oschadbank—are critical given the financial sector's prominence as a Russian attack target.
SOC Capability Elements
| SOC Component | Function | Wartime Adaptation Required | Solution Applied |
|---|---|---|---|
| SIEM platform | Log aggregation, correlation | Power backup for continuous ops | Cloud SIEM backup instance |
| EDR consoles | Endpoint threat visibility | Agent coverage on displaced devices | Cloud-delivered EDR |
| Analyst workstations | Investigation and response | Physical security, access under alerts | Hardened facility, remote access |
| Threat intel feeds | IOC enrichment, context | Increased feed volume/priority | CERT-UA + commercial feeds |
| Communications | Team coordination, escalation | Out-of-band during outages | Signal, satellite backup |
Kyivstar SOC: Protecting Ukraine's Largest Telecom
Kyivstar—Ukraine's largest mobile telecommunications operator with over 24 million subscribers—suffered a major cyberattack in December 2023 attributed by Ukrainian authorities to Sandworm/GRU. The attack disrupted mobile services, internet access, and the air raid alert notification system for millions of Ukrainians for several days, representing one of the most consequential cyberattacks on civilian telecommunications infrastructure in the conflict. The incident exposed limitations in detection and containment capabilities that allowed the threat actor to dwell sufficiently to deploy destructive payloads across Kyivstar's infrastructure. Post-incident, Kyivstar undertook a comprehensive SOC rebuild, implementing significantly enhanced detection capabilities, network segmentation, and incident response procedures with support from CrowdStrike. The Kyivstar incident became a reference case for the consequences of insufficient SOC coverage in high-threat telecommunications environments.
Virtual SOC Operations
Traditional physical SOCs face obvious vulnerabilities in a wartime environment—a SOC facility is a potential target, power disruptions affect operations, and staff displacement creates continuity problems. Virtual SOC models—where analysts work from distributed locations, monitoring is cloud-hosted, and coordination occurs through encrypted channels—proved more resilient in many Ukrainian cybersecurity organizations. Cloud-hosted SIEM instances (Azure Sentinel, Google Chronicle, Elastic Cloud SIEM) enabled analysts to continue monitoring from any location with internet access, including from abroad. Virtual SOC architectures intentionally eliminated the single-point-of-failure represented by a centralized physical facility, distributing both the technical infrastructure and human expertise across multiple locations resistant to physical attack or infrastructure disruption.
SOC Metrics in an Active Wartime Environment
SOC performance metrics that are meaningful in peacetime—mean time to detect (MTTD), mean time to respond (MTTR), alert-to-incident conversion rate—remained relevant but required contextual recalibration in wartime Ukraine. Mean time to detect norms were compressed dramatically: given the consequences of a wiper attack executing undetected, MTTD targets that might be measured in days or hours for typical peacetime organizations required reduction to minutes or hours for the highest-priority threat classes. Analyst-to-alert ratios were severely stressed as attack volumes escalated—a single analyst handling alert volumes that would require three in peacetime conditions, creating burnout and accuracy risks. Automation of tier-1 alert triage became a necessity rather than an efficiency improvement, with machine learning alert prioritization flagging the most critical threats for immediate human attention while handling routine false-positive reduction automatically.
FAQ
- What is a Security Operations Center (SOC)?
- A SOC is a facility or team responsible for continuous monitoring, detection, analysis, and response to cybersecurity events. SOC analysts use SIEM platforms, EDR tools, threat intelligence, and response procedures to detect ongoing attacks and initiate containment and recovery actions in real-time.
- What was the Kyivstar cyberattack?
- In December 2023, Kyivstar—Ukraine's largest mobile operator with 24+ million subscribers—suffered a major cyberattack attributed to Russia's Sandworm group, disrupting mobile services and internet for millions for several days and disabling air raid alert notifications. It was one of the most impactful cyberattacks on civilian telecommunications in the conflict.
- What is the NCCC?
- Ukraine's National Coordination Centre for Cybersecurity (NCCC), operating within the National Security and Defense Council, is the national policy and coordination body for cybersecurity. It coordinates between government agencies, sector regulators, and CERT-UA, sets cybersecurity policy direction, and manages interagency crisis coordination for major cyber incidents.
- What is SIEM?
- Security Information and Event Management (SIEM) is a platform that aggregates log data from across an organization's IT environment—servers, network devices, applications, endpoints—and applies correlation rules and analytics to detect patterns indicative of security incidents. It forms the technical core of most SOC operations.
- How do SOCs operate during power outages?
- Resilient SOCs use UPS and generator backup for physical facilities, cloud-hosted SIEM instances accessible from any location, distributed analyst teams who can continue monitoring remotely during facility power loss, and out-of-band communication (satellite or cellular) for team coordination when primary networks are disrupted.
Sources
- CERT-UA, "SOC Function Description," State Service of Special Communications, 2022
- CrowdStrike, "Kyivstar Incident Response," 2024
- NCCC Ukraine, "Cybersecurity Coordination Framework," 2022
- SANS Institute, "SOC Design: Building an Effective Security Operations Center," 2022
- ENISA, "Good Practices for Security Operations Centres," 2023
Cyber Operations Analysis: Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire
The Russia-Ukraine conflict has generated the most comprehensively documented state-sponsored cyber operations in history, with Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire representing a significant dimension of this digital warfare environment. Cyber attacks have targeted Ukrainian government systems, critical infrastructure, financial institutions, and military communications since well before the physical invasion began in February 2022. Understanding the technical characteristics, attributable actors, and strategic effects of cyber operations related to Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire provides essential context for assessing both immediate operational impacts and broader implications for cyber conflict doctrine.
Russian state-sponsored threat actors including Sandworm (GRU Unit 74455), APT28/Fancy Bear (GRU Unit 26165), Cozy Bear/APT29 (SVR), and Turla (FSB) have conducted sustained campaigns against Ukrainian and allied targets with objectives spanning espionage, sabotage, and influence operations. Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire intersects with this threat actor ecosystem in specific ways, whether through the deployment of particular malware families, targeting of specific sectors, or employment of novel techniques that reveal evolving adversary capabilities and intentions.
Ukraine's cyber defense architecture, significantly strengthened with Western assistance through programs including the EU's Cyber Resilience for Ukraine project and bilateral cooperation with US Cyber Command, has demonstrated growing resilience against Russian operations. The Ukrainian Computer Emergency Response Team (CERT-UA) has published hundreds of threat intelligence advisories, contributing to global understanding of Russian cyber tactics, techniques, and procedures (TTPs). Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire informs this evolving defensive picture, highlighting areas where Ukrainian defenses have proven effective and where vulnerabilities remain.
The strategic calculation surrounding cyber operations related to Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire involves complex trade-offs between operational effect, attribution risk, and escalation management. Russia's decision to employ destructive wiper malware, distributed denial-of-service attacks, and infrastructure-targeting operations reflects a calibrated use of cyber as a coercive instrument alongside physical military operations. The international response—including intelligence sharing, cyber defense assistance, and potential offensive cyber operations by allied nations—shapes the cost-benefit calculations of Russian cyber strategists.
Lessons for Global Cybersecurity Policy
The cyber dimensions of the Russia-Ukraine conflict represented by Security Operations Centers in Wartime Ukraine: Continuous Defense Under Fire have generated critical lessons for national cybersecurity strategies worldwide. The importance of pre-positioning defensive measures before conflict onset, the value of international cyber defense cooperation frameworks, the role of private sector cybersecurity companies in supporting national defense, and the limitations of cyber operations as a strategic coercive tool have all been illuminated by Ukrainian experience. These lessons are reshaping cybersecurity investment priorities, information sharing architectures, and incident response frameworks across NATO and partner nations.
Frequently Asked Questions
What are the main Russian cyber attacks on Ukraine?
Russia has conducted sustained cyber operations against Ukraine since at least 2014, with a major escalation in February 2022. Key campaigns include the NotPetya attack (2017), attacks on energy infrastructure, the Viasat hack at war's start, and continuous operations against government, military, and civilian targets throughout the full-scale invasion.
How has Ukraine defended against Russian cyber attacks?
Ukraine's cyber defense has benefited from pre-invasion preparation, Microsoft and Western tech company assistance, CERT-UA operations, and the support of allied intelligence services. Ukraine developed significant cyber resilience by distributing government data to cloud infrastructure before the invasion.
What is the role of cyber warfare in the Ukraine conflict?
Cyber warfare in the Ukraine conflict operates alongside conventional military operations. Russia uses cyber attacks to disrupt infrastructure, spread disinformation, and support physical strikes, while Ukraine has developed offensive cyber capabilities to target Russian systems, including oil and gas infrastructure and military networks.
Who are the main cyber actors targeting Ukraine?
Russian state-affiliated cyber groups targeting Ukraine include Sandworm (GRU), APT28 (GRU), APT29 (SVR), Turla (FSB), and various GRU units. Ukrainian cyber forces, international volunteer hacker groups (IT Army of Ukraine), and allied intelligence cyber units operate on the Ukrainian side.
What can other countries learn from Ukraine's cyber defense?
Ukraine's cyber defense offers critical lessons: distributed cloud infrastructure reduces vulnerability to physical and cyber attacks, international information sharing accelerates threat response, pre-conflict preparation matters enormously, and the integration of civilian tech expertise with military cyber operations creates strategic advantages.