Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination
Cyber threat intelligence (CTI) sharing between Ukraine and its Western partners has evolved from ad hoc exchanges in 2022 into one of the most intensive bilateral intelligence relationships in the cyber domain. The operational pressure of defending against GRU, FSB, and SVR cyber operations—while simultaneously providing intelligence about adversary TTPs that helps partner nations protect their own networks—has driven both sides to build sharing mechanisms with speed and scale that would have seemed impractical in a peacetime context.
Ukraine-US Bilateral CTI Framework
The formal framework for Ukraine-US threat intelligence sharing rests on agreements between SSSCIP and US Cyber Command, CISA, and NSA's Cybersecurity Collaboration Center. Each relationship serves different intelligence needs: US Cyber Command sharing relates primarily to offensive threat actor activity and campaign-level intelligence; CISA sharing focuses on vulnerability exploitation and defensive measures for critical infrastructure; NSA's Cybersecurity Collaboration Center provides technical malware and indicator-level intelligence to CERT-UA.
The practical mechanism for much of this exchange is direct analyst-to-analyst relationships enabled by embedded liaison personnel. US Cyber Command's "hunt forward" operations, deployed to Ukraine beginning before the February 2022 invasion, involved US cyber personnel working alongside Ukrainian counterparts within Ukrainian networks to identify adversary presence and collect intelligence about Russian offensive tools. This generated intelligence that flowed both to improve Ukrainian defenses and to enable US and partner nation network defenders to better detect Russian threat actor techniques.
Five Eyes Ukraine Intelligence Packages
While Ukraine is not a member of the Five Eyes intelligence sharing arrangement (US, UK, Canada, Australia, New Zealand), it has been the recipient of specially prepared intelligence packages from multiple Five Eyes members throughout the conflict. These packages—often issued as public cybersecurity advisories with Ukrainian input—combine sanitized indicator and TTP data from Five Eyes signals intelligence collection with Ukrainian forensic evidence to create comprehensive threat actor profiles that both protect Ukrainian networks and alert parallel infrastructure globally.
The joint US-UK advisories on Russian deployment of INDUSTROYER2 and other destructive malware against Ukrainian infrastructure, issued by CISA, NSA, FBI, and NCSC in coordination with CERT-UA, exemplify this model. The public advisory served Ukrainian critical infrastructure operators while simultaneously warning globally about threats that might later be repurposed against other targets—a force-multiplier effect from Ukraine's front-line defense experience.
MISP Ukraine National Instance
| MISP Community Feature | Ukraine National Instance Details | Access Level | Sharing Partners |
|---|---|---|---|
| Indicator volume (2024) | 200,000+ active IOCs | Government agencies only | CERT-UA, SSSCIP, ministries |
| Threat actor galaxies | Custom Ukraine MITRE ATT&CK mappings | Restricted (TLP:AMBER) | Trusted international CERTs |
| International feeding | CIRCL (Luxembourg), US-ISAC feeds | TLP:GREEN and TLP:WHITE | Via bilateral agreements |
| Automated correlation | Daily automated indicator matching | Internal CERT-UA use | Alerts to subscribed agencies |
TLP Classification Protocols
The Traffic Light Protocol (TLP) provides a standardized framework for communicating sharing boundaries for sensitive information. Ukraine's national CTI sharing uses TLP across all exchanges: TLP:WHITE (unrestricted, publishable), TLP:GREEN (shareable within the sector or community), TLP:AMBER (limited distribution to the recipient organization and trusted partners), and TLP:RED (restricted to named recipients only). CERT-UA's public advisories use primarily TLP:WHITE and TLP:GREEN, enabling broad distribution while protecting the most sensitive operational indicators.
A persistent challenge in Ukraine's CTI operations is classification consistency: different government agencies, commercial partners, and international liaison officers apply TLP labels with varying levels of rigor. SSSCIP has issued guidance clarifying that TLP markers on intelligence received from partners must be respected and cannot be downgraded without the originator's consent, addressing cases where TLP:AMBER material was shared more widely than intended.
Speed Versus Accuracy Tradeoffs in CTI Sharing
Wartime CTI sharing creates acute tension between speed—rapid sharing of indicators enables faster defensive action—and accuracy—sharing inaccurate indicators creates alert fatigue and erodes trust in the intelligence pipeline. CERT-UA has adopted a rapid-sharing, retrospectively-validated model: indicators believed with moderate confidence to be malicious are shared quickly with a confidence annotation, and subsequent analysis updates the indicator record with confirmatory or refuting evidence. Recipients are expected to apply risk-appropriate defenses proportional to the confidence level, rather than treating all shared indicators as definitively malicious.
FAQ
- What is CTI and how is it used operationally?
- Cyber Threat Intelligence encompasses information about adversary identities, motivations, capabilities, and indicators of compromise. Operationally, CTI informs detection rules, patch prioritization, incident response procedures, and attribution decisions. Good CTI helps defenders anticipate and detect attacks rather than only responding after damage occurs.
- What are "hunt forward" operations and what did they achieve in Ukraine?
- US Cyber Command's hunt forward operations deploy US cyber personnel to partner nation networks with host nation permission to search for adversary presence. In Ukraine, they identified Russian threat actor tools and techniques before and during the invasion, generating intelligence used to improve both Ukrainian and US network defenses.
- What is MISP and why does Ukraine use it?
- MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform enabling automated sharing of indicators of compromise, malware samples, and threat actor data. Ukraine's national MISP instance centralizes CTI from multiple sources and distributes actionable intelligence to subscribed government agencies automatically.
- Why doesn't Ukraine receive full Five Eyes intelligence?
- The Five Eyes arrangement involves deeply integrated intelligence sharing among its five member nations, built on decades of legal frameworks and trust development. Ukraine, as a non-member, receives specially prepared packages rather than full raw feed access, protecting source and method information while still enabling substantial intelligence transfer.
- What is TLP:RED and when would it be used in a Ukrainian context?
- TLP:RED restricts information to named recipients only—not even their organizations generally. It would be applied to intelligence about specific ongoing operations, identities of sources, or other information whose broader distribution would create immediate operational or safety risk.
Sources
- CISA/NSA/FBI/NCSC — Joint Advisory on Russian State-Sponsored Cyber Operations Against Ukrainian Critical Infrastructure, 2022
- US Cyber Command — "Hunt Forward Operations: Ukraine" (publicly acknowledged in Congressional testimony), 2022
- CERT-UA — Annual Report on Cyber Threat Intelligence Activities 2023, cert.gov.ua
- FIRST.org — "Traffic Light Protocol (TLP) Standard v2.0," 2022
- CIRCL (Computer Incident Response Center Luxembourg) — "MISP: Threat Intelligence Sharing Platform Documentation and Ukraine Partnership," 2023
Cyber Operations Analysis: Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination
The Russia-Ukraine conflict has generated the most comprehensively documented state-sponsored cyber operations in history, with Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination representing a significant dimension of this digital warfare environment. Cyber attacks have targeted Ukrainian government systems, critical infrastructure, financial institutions, and military communications since well before the physical invasion began in February 2022. Understanding the technical characteristics, attributable actors, and strategic effects of cyber operations related to Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination provides essential context for assessing both immediate operational impacts and broader implications for cyber conflict doctrine.
Russian state-sponsored threat actors including Sandworm (GRU Unit 74455), APT28/Fancy Bear (GRU Unit 26165), Cozy Bear/APT29 (SVR), and Turla (FSB) have conducted sustained campaigns against Ukrainian and allied targets with objectives spanning espionage, sabotage, and influence operations. Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination intersects with this threat actor ecosystem in specific ways, whether through the deployment of particular malware families, targeting of specific sectors, or employment of novel techniques that reveal evolving adversary capabilities and intentions.
Ukraine's cyber defense architecture, significantly strengthened with Western assistance through programs including the EU's Cyber Resilience for Ukraine project and bilateral cooperation with US Cyber Command, has demonstrated growing resilience against Russian operations. The Ukrainian Computer Emergency Response Team (CERT-UA) has published hundreds of threat intelligence advisories, contributing to global understanding of Russian cyber tactics, techniques, and procedures (TTPs). Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination informs this evolving defensive picture, highlighting areas where Ukrainian defenses have proven effective and where vulnerabilities remain.
The strategic calculation surrounding cyber operations related to Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination involves complex trade-offs between operational effect, attribution risk, and escalation management. Russia's decision to employ destructive wiper malware, distributed denial-of-service attacks, and infrastructure-targeting operations reflects a calibrated use of cyber as a coercive instrument alongside physical military operations. The international response—including intelligence sharing, cyber defense assistance, and potential offensive cyber operations by allied nations—shapes the cost-benefit calculations of Russian cyber strategists.
Lessons for Global Cybersecurity Policy
The cyber dimensions of the Russia-Ukraine conflict represented by Threat Intelligence Sharing: Ukraine-US Bilateral CTI and International Coordination have generated critical lessons for national cybersecurity strategies worldwide. The importance of pre-positioning defensive measures before conflict onset, the value of international cyber defense cooperation frameworks, the role of private sector cybersecurity companies in supporting national defense, and the limitations of cyber operations as a strategic coercive tool have all been illuminated by Ukrainian experience. These lessons are reshaping cybersecurity investment priorities, information sharing architectures, and incident response frameworks across NATO and partner nations.
Frequently Asked Questions
What are the main Russian cyber attacks on Ukraine?
Russia has conducted sustained cyber operations against Ukraine since at least 2014, with a major escalation in February 2022. Key campaigns include the NotPetya attack (2017), attacks on energy infrastructure, the Viasat hack at war's start, and continuous operations against government, military, and civilian targets throughout the full-scale invasion.
How has Ukraine defended against Russian cyber attacks?
Ukraine's cyber defense has benefited from pre-invasion preparation, Microsoft and Western tech company assistance, CERT-UA operations, and the support of allied intelligence services. Ukraine developed significant cyber resilience by distributing government data to cloud infrastructure before the invasion.
What is the role of cyber warfare in the Ukraine conflict?
Cyber warfare in the Ukraine conflict operates alongside conventional military operations. Russia uses cyber attacks to disrupt infrastructure, spread disinformation, and support physical strikes, while Ukraine has developed offensive cyber capabilities to target Russian systems, including oil and gas infrastructure and military networks.
Who are the main cyber actors targeting Ukraine?
Russian state-affiliated cyber groups targeting Ukraine include Sandworm (GRU), APT28 (GRU), APT29 (SVR), Turla (FSB), and various GRU units. Ukrainian cyber forces, international volunteer hacker groups (IT Army of Ukraine), and allied intelligence cyber units operate on the Ukrainian side.
What can other countries learn from Ukraine's cyber defense?
Ukraine's cyber defense offers critical lessons: distributed cloud infrastructure reduces vulnerability to physical and cyber attacks, international information sharing accelerates threat response, pre-conflict preparation matters enormously, and the integration of civilian tech expertise with military cyber operations creates strategic advantages.