Cyber Threat Landscape of the Russia-Ukraine War (Jan 2022 – Jan 2026)
This threat note was authored by Louis-Charles Beyeler (Pre Sales) and Anne-Claire Chaugny (Cyber Operations). Published April 28, 2026.
The cyber dimension of the Russia-Ukraine war has produced a noisy four-year record, with thousands of DDoS waves, defacements, and hack-and-leak operations claimed openly on Telegram by the groups carrying them out. The activity is public, repetitive, and easy to count.
Read our cyber heavy analysis on this 4 year conflict.
What the dataset shows
Between January 2025 and January 2026, the CybelAngel REACT team recorded 1,651 cyber incidents targeting Ukrainian entities and 575 targeting Russian entities. The asymmetry isn’t new, since the prior twelve months looked nearly identical in shape and scale. The composition of the activity is where the picture gets more interesting.
Against Ukraine, 84% of recorded activity is DDoS, an operational pattern that is sustained, reactive to political events, and overwhelmingly concentrated in a single actor. Against Russia, 62% of activity is data breach claims and 26% is defacement, distributed across a wider set of groups operating on a hack-and-leak model rather than a disruption model. The result is two conflicts running in parallel under one banner, with two different doctrines and two different defensive problems to solve.
Why the numbers mislead
The cyber dimension of the Russia-Ukraine conflict operates on two distinct timescales. The first is reactive and highly visible: pro-Russian hacktivist groups including NoName057(16) launch DDoS and defacement waves within 24 to 72 hours of political triggers such as arms shipments or parliamentary votes, claim them openly on Telegram, and account for 84% of recorded incidents against Ukraine. The second is sustained and largely unclaimed: state-sponsored groups including APT28 and Gamaredon conduct espionage and pre-positioning that rarely surfaces in the dataset, which is why initial access claims sit at just 3.4%. This second category produced the FrostyGoop attack of January 2024, which disrupted district heating in Lviv for 48 hours during sub-zero temperatures and affected more than 600 residential buildings.
What’s inside the report
I. Threat Landscape. A look at attack volumes and types from January 2025 to January 2026, with a year-on-year comparison against the prior period. The section breaks down sectoral targeting on both sides, including the rise of insurance to third place among Ukrainian targets, and profiles the main players: pro-Russian hacktivism, pro-Ukrainian hacktivism, and the two Russian state APTs running the espionage track, APT28 (GRU Unit 26165) and Gamaredon (FSB Center 18, later GRU).
II. Operational Tradecraft and Effects. A closer look at DDoS, defacement, and data breach claims, including why DDoS activity against Russia fell from 86 to 41 incidents while activity against Ukraine held steady at 1,391. The section also covers the sharp rise in defacement against Russia from 15 to 152 incidents, with Anonymous Italia alone claiming 133, and explains how pro-Ukrainian hack-and-leak operations differ from APT espionage through cases like the GUR’s 2022 doxing of 620 alleged FSB officers and the 100 GB exfiltration from the Russian Ministry of Defense in January 2024.
III. Cross-Border Spillover: The NoName057(16) Case. A focused study of the most active threat actor in the world this year, with roughly 5,000 claimed attacks since January 2025, four times the volume of its nearest rival. The section looks at why the group targets Germany, Italy, France, and Spain more than Ukraine itself, how its activity tracks political and military events, and why it began joining pro-Iranian campaigns in March 2026.
IV. Defensive Implications. Six mitigation themes drawn from the data:
- Inventory internet-exposed IP cameras, in light of APT28’s reconnaissance campaign against more than 10,000 devices
- Detect LNK and HTA files to counter Gamaredon’s spearphishing model
- Contain IT-to-OT movement within 48 hours, based on the Industroyer2 and FrostyGoop cases
- Scope DDoS protection beyond the main portal to cover the full attack surface
- Wire political-event monitoring into SOC posture and defensive readiness
- Pre-build the narrative response for hacktivist incidents that generate disproportionate media coverage
The cases the analysis walks through
- Viasat/KA-SAT, February 2022. A wiper attack delivered through a misconfigured VPN appliance, attributed to the GRU by the US, EU, and UK. The operation disabled remote management of around 5,800 wind turbines in Germany as collateral damage.
Industroyer2, April 2022. Sandworm attempted to deploy the malware against Ukrainian high-voltage substations, where it was neutralized before triggering.
FrostyGoop, January 2024. A 48-hour district heating outage in Lviv that affected more than 600 residential buildings during sub-zero temperatures.
APT28 RTSP reconnaissance, May 2025. Over 10,000 internet-facing IP cameras targeted, with 81% of the activity concentrated on Ukraine and the rest spread across Romania, Poland, Hungary, and Slovakia. NoName057(16) reactive waves. 82 unique targets on August 6, 2024 alone, following the Ukrainian advance into the Kursk region.
Who this is for
The report is built for CISOs, threat intelligence analysts, and risk managers at organizations operating in or near the conflict zone, or in sectors with sustained targeting including government, defense, energy, telecommunications, manufacturing, insurance, and logistics. It is also relevant for sector ISACs and national CERTs extending coverage to the operators who don’t yet see themselves as in scope.
Authors: Louis-Charles Beyeler (Pre Sales) and Anne-Claire Chaugny (Cyber Operations). Published April 28, 2026.
Other recommended reads
- Russia-Ukraine: How Cyber Attacks Shape the Conflict
- Unmasking NoName057(16): Botnets, DDoSia, and NATO
- Israel-Iran Cyber Conflict Flash Report
About the author
