Cyber Threat Landscape of the Russia-Ukraine War (Jan 2022 – Jan 2026)
Read our cyber heavy analysis on this 4 year conflict.
What the dataset shows
Between January 2025 and January 2026, the CybelAngel REACT team recorded 1,651 cyber incidents targeting Ukrainian entities and 575 targeting Russian entities. The asymmetry isn’t new, since the prior twelve months looked nearly identical in shape and scale. The composition of the activity is where the picture gets more interesting.
Against Ukraine, 84% of recorded activity is DDoS, an operational pattern that is sustained, reactive to political events, and overwhelmingly concentrated in a single actor. Against Russia, 62% of activity is data breach claims and 26% is defacement, distributed across a wider set of groups operating on a hack-and-leak model rather than a disruption model. The result is two conflicts running in parallel under one banner, with two different doctrines and two different defensive problems to solve.
Why the numbers mislead
What’s inside the report
I. Threat Landscape. A look at attack volumes and types from January 2025 to January 2026, with a year-on-year comparison against the prior period. The section breaks down sectoral targeting on both sides, including the rise of insurance to third place among Ukrainian targets, and profiles the main players: pro-Russian hacktivism, pro-Ukrainian hacktivism, and the two Russian state APTs running the espionage track, APT28 (GRU Unit 26165) and Gamaredon (FSB Center 18, later GRU).
II. Operational Tradecraft and Effects. A closer look at DDoS, defacement, and data breach claims, including why DDoS activity against Russia fell from 86 to 41 incidents while activity against Ukraine held steady at 1,391. The section also covers the sharp rise in defacement against Russia from 15 to 152 incidents, with Anonymous Italia alone claiming 133, and explains how pro-Ukrainian hack-and-leak operations differ from APT espionage through cases like the GUR’s 2022 doxing of 620 alleged FSB officers and the 100 GB exfiltration from the Russian Ministry of Defense in January 2024.
III. Cross-Border Spillover: The NoName057(16) Case. A focused study of the most active threat actor in the world this year, with roughly 5,000 claimed attacks since January 2025, four times the volume of its nearest rival. The section looks at why the group targets Germany, Italy, France, and Spain more than Ukraine itself, how its activity tracks political and military events, and why it began joining pro-Iranian campaigns in March 2026.
IV. Defensive Implications. Six mitigation themes drawn from the data:
- Inventory internet-exposed IP cameras, in light of APT28’s reconnaissance campaign against more than 10,000 devices
- Detect LNK and HTA files to counter Gamaredon’s spearphishing model
- Contain IT-to-OT movement within 48 hours, based on the Industroyer2 and FrostyGoop cases
- Scope DDoS protection beyond the main portal to cover the full attack surface
- Wire political-event monitoring into SOC posture and defensive readiness
- Pre-build the narrative response for hacktivist incidents that generate disproportionate media coverage
The cases the analysis walks through
Who this is for
The report is built for CISOs, threat intelligence analysts, and risk managers at organizations operating in or near the conflict zone, or in sectors with sustained targeting including government, defense, energy, telecommunications, manufacturing, insurance, and logistics. It is also relevant for sector ISACs and national CERTs extending coverage to the operators who don’t yet see themselves as in scope.
Authors: Louis-Charles Beyeler (Pre Sales) and Anne-Claire Chaugny (Cyber Operations). Published April 28, 2026.
- Russia-Ukraine: How Cyber Attacks Shape the Conflict
- Enttarnung von NoName057(16): Botnetze, DDoSia und die NATO
- Israel-Iran Cyber Conflict Flash Report
Über den Autor
