We have been monitoring the cyber aspects of Russia’s war on Ukraine since January 2022, when the conflict was brewing up, and systematically analysed the conflict-related cyberattacks that came to our knowledge. We observed the global cyber landscape, to anticipate if and how cyber operations would target our constituents, the EU institutions, bodies, and agencies (EUIBAs), or organisations in Ukraine and EU countries.
We created a dedicated report to showcase this work. It is our attempt at taking a step back from the day-to-day events, trying to pierce through the fog of war’s veil to make a bigger picture materialise. A picture that could help us see how the conflict shaped the cyber threat landscape in Ukraine and elsewhere.
We don’t have a first-hand knowledge of cyberattacks in Ukraine, except for a handful of EUIBAs that have operations in the country. As a consequence, what you will read here largely relies on the reporting of, and information verification by public and private sources we deem trustworthy.
For each cyberattack we describe in this product, we analyse the context (timing, objectives, impact), victimology (targeted sectors, countries), main tactics, techniques and procedures (TTPs), and, when applicable, attribution made by third parties.
We recorded 806 cyberattacks and analysed them based on information coming from over 142 different sources:
- Many industry sources and researchers have scrutinised the threat landscape and used their telemetry to detect cyberattacks related to the war.
- National and governmental CSIRTs we closely cooperate with have fully used the existing information sharing frameworks to circulate their observations.
- Media have been extensively relaying cyberattacks of all kinds, at times inflating their impact for pure clickbait reasons. We had to frequently verify their reporting with trusted sources and victims.
The caveats you should take into account
We split activities per category and per threat actor. So while reading the report, please keep the following caveats in mind:
- The lines between the activities and the actors are blurry. One cyberattack can be a blend of several activities that belong to several categories. Also, threat actors may appear to be closely related.
- We could only analyse what was publicly reported or shared with us by our peers and partners. Spearphishing attacks, wiper attacks, DDoS attacks and information operations with a cyber component are more visible due to their nature, if compared to supply-chain attacks or targeted attacks on critical infrastructure, for example. It doesn’t take a rocket scientist to make the plausible assumption that some sophisticated activities haven’t been identified or reported.
- We have excluded most cybercrime activities such as ransomware from the statistics for this report because we could not associate them with Russia’s war on Ukraine. We can’t distinguish between war-related cybercrime and non-war-related cybercrime with sufficient accuracy.