It is possible that specific cyberattacks against energy,
water supply or other similar critical infrastructure,An attack on the specific industrial control information
systems, which are used for vital services such as energy
and water supply, is somewhat different from attacking
ordinary information systems. Simply put, these
information systems are built differently. The
Industroyer2 malware was specially developed to attack
industrial control information systems, and the GRU
probably used it on 8 April 2022 against the Ukrainian
which would lead to long-term service interruptions, were not
organised early on because Russia expected to achieve its
military objectives quicker and wanted to maintain the support
of the local population.
Despite failing to occupy Ukraine in a few days as originally
intended, Russia continued its cyberattacks against Ukraine.
These were more frequent during certain periods. For example,
Ukrainian cyber defenders working with cybersecurity companies
repeatedly detected destructive malware over a period of about
30 days from the second half of March. Cyberattacks started to
gain momentum again in the autumn.On detected cyberattacks, see e.g.
Cyberattacks to obtain information have continued.
Cyber espionage is likely the biggest threat stemming from
cyberspace. Stolen information can effectively be used as
input to Russian special services’ operations and influence
During the war, Russia has used several destructive malware
repeatedly. On 11 October 2022, Microsoft detected the
CaddyWiper malware in the critical infrastructure of the
Mykolaiv and Kyiv regions. The cybersecurity company ESET
detected this malware for the first time on 14 March 2022 in
the information system of a Ukrainian bank.
On 14 October 2022, Microsoft identified the Prestige
ransomware in the information system of Ukrainian and Polish
logistics and transport companies.
In 2022, cybersecurity researchers identified at least nine
types of destructive malware in Ukrainian cyberspace that have
attempted to disrupt services (ENISA Threat Landscape 2022, p.
25; Recorded Future, 2022). Destructive malware makes a computer unusable by
corrupting programs or data. Ransomware that encrypts data
without the possibility of decrypting, such as Prestige, can
be used to the same end. Such an amount of destructive malware
has never been observed anywhere in such a short period of
time. This shows that Russia is capable of quickly developing
Russian cyberattacks, like the actions of its armed forces,
are likely aimed at wearing down Ukraine’s cyber defenders and
then finding the weakest link that would help achieve Russia’s
overall military goal – to wear down Ukraine, damage the
international image and credibility of the Ukrainian
leadership, reduce aid from allies, and undermine the
society’s morale. Therefore, a cyberattack need not actually
disrupt an information system, as with each attack,
investigators have to spend human and time resources to check
whether and how extensively the information system has been
attacked, how to improve defence, etc.
Russia underestimated the resilience of Ukraine’s cyberspace
and the help it receives from Western countries and
cybersecurity companies. Despite
denial-of-service attacks on the websites of state
institutions to disrupt the flow of information, among other
things, the Ukrainian government has found alternative ways of
communication, for example, using social media. Using Starlink
devices also plays an important role in maintaining civilian
and military communications. Cybersecurity companies have been
helping Ukraine defend its cyberspace since 2014. Aid
intensified during the full-scale Russian invasion and, with
allied support, was likely instrumental in ensuring the
resilience of Ukraine’s cyberspace. Russia’s influence
operations in cyberspace have not had the expected effect.
Ukrainian society remains united and trusts its government
despite threats posted on social media and data leaks.
Russian cyberattacks go beyond the territory of Ukraine.
Pro-Kremlin cyberattackers threaten the cyberspace of
countries that support Ukraine, including Estonia, Latvia,
Lithuania and Poland. In the active phase of kinetic warfare,
they have attempted to intimidate societies with threats on
social media, denial-of-service attacks and data leaks. Their
activities support Russian special services’ influence
From 16 to 17 August 2022, denial-of-service attacks took
place on the information systems of Estonian companies and
Pro-Russian hacktivists took responsibility for these
cyberattacks and claimed to have attacked 207 targets in
In fact, they just copied a list of services where the
Smart-ID app can be used, and actual attacks were not carried
out against all these targets.
Russia uses cyberattacks to support its strategic objectives
(e.g., causing fear and weakening society’s resistance to the
aggressor, disrupting the functioning of the state, and
creating information noise to make it difficult to distinguish
reality from disinformation). The Russo-Ukrainian war confirms
that cybersecurity measures  make it possible to withstand cyber espionage, cyber
sabotage and influence operations.