EN
EN FR DE JA AR ES
Home | Blog | Russia-Ukraine: How Cyber Attacks Shape the Conflict [Threat Note]

Russia-Ukraine: How Cyber Attacks Shape the Conflict [Threat Note]

Written by: Cyber Operations

3 min readMay 6, 2026

This blog summarizes our latest threat landscape report on the cyber dimension of the Russia-Ukraine conflict.

Talk to Cyber Ops

Between January 2024 and December 2025, Ukraine absorbed 2,824 recorded cyber attacks while Russia took 820 in the same period, a 3.4 to 1 imbalance that tells you more about how this conflict’s cyber dimension actually works than any headline does. February 24, 2026 marked four years since Russia’s full-scale offensive began, and while the kinetic war continues to dominate coverage, the cyber campaign has run in parallel throughout, hitting government institutions, critical infrastructure, and civilian-facing industries with measurable operational consequences on both sides of the front line.

The targeting matrix

Pro-Russian operations concentrate on Ukrainian government institutions (27% of attacks) and critical industries — telecommunications, energy, manufacturing. The pattern points to disruption of state functions and recovery capacity, not opportunistic theft.

Pro-Ukrainian operations target a different set of victims inside Russia: public-facing retail and technology companies, where civilian visibility is the point. These differences map directly onto the tactics and intent of each side.

Russia: cyber as a force multiplier

Distributed Denial of Service (DDoS) accounts for over 87% of pro-Russian attack volume. But the volume isn’t the story, but rather the timing is.

In August 2024, when Ukrainian forces launched the Kursk incursion, pro-Russian groups opened a high-intensity DDoS campaign against Ukrainian and NATO entities within hours. The cyber operations moved with the kinetic ones — same operational tempo, same political objectives.

Beyond DDoS, pro-Russian operations conduct cyber-physical sabotage against telecommunications and energy infrastructure, exploiting unpatched vulnerabilities, shadow assets, and leaked credentials. The goal is denial of recovery: targeting critical systems alongside the kinetic ones makes restoration slower and more expensive.

This is the same kinetic-cyber synchronization we documented during the Israel-Iran conflict last June — different theatre, same playbook.

Ukraine: cyber as psychological warfare

Pro-Ukrainian operators run a different campaign. Their attacks broadcast political messaging to Russian civilians who don’t get it from state media.

Hacktivist collectives like Anonymous Italia deface Russian retail sites and educational institutions to project the emotional reality of the war into spaces ordinary Russians actually visit. Data breach operations follow a “hit and run” pattern: exfiltrate data from government bodies and VIPs, publish it on Telegram, dark web forums, and mainstream social media within hours, repeat.

The objective isn’t disruption. It’s the audience.

The four threat actors that matter

  • NoName057(16) runs the highest volume of pro-Russian DDoS activity. The group operates a volunteer-driven platform called DDoSia,recruiting participants on Telegram and paying them in cryptocurrency to attack targets selected by the group.Europol’s Operation Eastwood disrupted the group’s infrastructure in July 2025 and issued arrest warrants for six Russian nationals, but the group rebuilt and resumed operations within days. We’ve covered the group’s tactics and infrastructure inour dedicated NoName057(16) profile.
  • APT28 (GRU Unit 26165) runs the espionage track. The unit conducts long-running intelligence collection against Ukrainian and NATO targets.In May 2025, CISA and partner agencies across NATO confirmed the group had targeted over 10,000 internet-connected RTSP cameras at border crossings, military installations, and rail stations to monitor aid shipments into Ukraine.Eighty-one percent of the targeted cameras were inside Ukraine itself.
  • Anonymous Italia drives roughly 90% of recorded defacement activity against Russian entities. The group targets sites with high civilian traffic — retailers, universities, public-facing government services — to maximize visibility of political messaging to Russian audiences.
  • IT Army of Ukraine runs DDoS campaigns timed to military operations. The group claimed 50 attacks against media websites in the Kursk border region during the Ukrainian advance, demonstrating the same kinetic-cyber synchronization Russia uses, applied in reverse.

What’s evolving

Both sides are upgrading. AI-assisted phishing, zero-click exploits, and supply-chain compromises are now routine tools. The full report covers the IT-to-OT intrusion chains pro-Russian groups use to reach industrial control systems, the synchronization patterns between DDoS surges and kinetic operations, and the cross-border spillover risks that pull NATO supply chains into the impact zone.

What this means for organizations

Three actions for security teams whose operations or supply chains touch the region:

  1. Assume credential compromise. Pro-Russian operations rely heavily on leaked credentials and unpatched shadow assets. Audit your external attack surface for both, this week.
  2. Map third-party exposure into the conflict zone. Suppliers, logistics partners, and technology vendors operating in or near Ukraine are part of your risk surface.
  3. Watch for kinetic-cyber synchronization. Cyber surges align with military events. Geopolitical monitoring belongs in your security operations workflow, not just your news feed.

The full threat landscape report includes the complete targeting volume analysis, sectoral breakdowns, modus operandi for APT28 and Gamaredon, the IT-to-OT intrusion chains, and our defensive recommendations.

Contact us to access the full report

About the author

Cyber Operations

read all the articles