In Ukraine, cyber warfare is no longer just code and servers. It’s frontline infrastructure, psychological warfare, and kinetic attacks rolled into one. According to the Computer Emergency Response Team of Ukraine’s latest report for cyber incidents in H2 2024, Russia-backed hackers have escalated their tactics: more aggressive, more automated, and far more coordinated with on-the-ground military action.
The illusion of isolated cyberattacks is long gone. What Ukraine is facing now is digital siege warfare.
Volume Up, Stealth Down
CERT-UA handled 2,576 cyber incidents in H2 2024 alone—a 48% jump from the previous half. But while the total number of incidents skyrocketed, critical and high-severity incidents dropped by 77%. That sounds like progress, until you realise it may reflect better attack obfuscation, not lower risk.
The malware playbook is also changing. There was a 112% increase in malware distribution campaigns, with phishing becoming increasingly industrialised. In many cases, attackers used cloud services like Google Drive and GitHub for malware hosting—effectively turning legitimate infrastructure into threat vectors.
The Energy Sector: A Persistent Bullseye
If there’s one thing Russia has been consistent about, it’s their obsession with Ukraine’s energy grid. CERT-UA confirms that cyberattacks now often precede missile strikes, following a coordinated pattern that merges cyber with kinetic warfare. These attacks are long-term projects—often executed over 6 to 8 months—with threat actors reusing previously compromised OT infrastructure and targeting supply chain vendors with weaker defenses.
That’s not just espionage. That’s sabotage.
Defense Targets and Military Devices: No Longer Untouchable
The military is no longer just a target—it’s an active battlefield. New malware variants like FIRMACHAGENT and legacy toolkits like SPECTR were deployed against personnel and defense firms. These implants stole everything from GPS coordinates to Signal credentials.
CERT-UA tracked multiple clusters like UAC-0020 (Vermin) and UAC-0180 that targeted military communications, file shares, and even surveillance systems. In one instance, adversaries delivered malware disguised as fake mobile versions of legitimate battlefield software, exploiting the trust placed in internal systems.
Also read: Vermin Hackers Resurface to Target Ukrainian Defense Forces with SPECTR Malware
The infection chain was brutally efficient: APK downloads via Signal messages, Java code injected into cloned apps, remote control over infected phones. Once inside, the attackers weren’t just collecting data—they were shaping battlefield outcomes.
Civilian Infrastructure as a Weaponized Domain
The December breach of Ukraine’s Ministry of Justice state registries didn’t just delay services. It froze passport issuance, halted property transactions, and disrupted border crossings. It was a textbook demonstration of how civilian systems can become attack vectors with strategic impact.
The cyberattack didn’t just inconvenience users. It paralyzed national functions—highlighting that for modern states, digital infrastructure is statecraft.
Supply Chains: The New Soft Target
While energy and defense sectors are hardened, attackers are pivoting to softer entry points: vendors. Several campaigns exploited unpatched vulnerabilities in third-party software like GeoServer (CVE-2024-36401) and WinRAR (CVE-2023-38831), compromising organizations through backdoor dependencies.
CERT-UA warns that supply chain intrusions are now the norm, not the exception. Threat actors are learning to hijack trust relationships to scale their reach. Think SolarWinds, but localised and ongoing.
Russia’s APT Clusters: Same Names, New Tricks
Familiar threat actors like UAC-0001 (APT28) and UAC-0050 returned with updated playbooks. QR-code phishing campaigns, fake CAPTCHAs delivering PowerShell payloads, and archive-based exploits replaced older VBS-based malware. The evolution wasn’t in concept—it was in delivery.
Also read: ‘I’m not a Robot’ reCAPTCHA Trojanized by Russian Hackers to Target Local Ukrainian Government
Meanwhile, UAC-0185 (UNC4221) ran credential-stealing campaigns targeting Signal, Telegram, and battlefield coordination apps. They disguised payloads as conference invitations or legitimate correspondence, relying on social engineering as much as technical delivery.
These aren’t spray-and-pray operations. They’re spear phishing at military precision.
Also read: Russian State-Backed Hackers Intensify Attacks on Signal Messenger Accounts
Rethinking Detection: The Case for Pre-Incident Intelligence
Ukraine’s defenders aren’t just reacting. CERT-UA has built out a growing network of sensors and analytics platforms, many deployed with international support. Several attacks were classified as “near misses”—interrupted mid-execution thanks to early threat visibility.
But the challenge is scale. With adversaries exploiting zero-days within 12 to 24 hours of disclosure, even minute delays in patching can be catastrophic. The only sustainable defense is anticipatory: threat hunting, telemetry sharing, and proactive adversary mapping.
Information-Psychological Ops: The Silent Front
Beyond the backdoors and RATs lies a subtler war. Russia’s cyber strategy includes IPSO—information-psychological operations. These aim to induce fear, panic, or doubt among civilians and service members alike. Even botched attacks serve a purpose if they shake trust in the system.
CERT-UA confirms ongoing phishing attempts targeting individuals via Signal and WhatsApp, designed to exfiltrate private data and weaponize it for disinformation. In this hybrid war, the line between cyberattack and propaganda is intentionally blurred.
The Cyberwar That Doesn’t End at the Keyboard
The report makes one thing painfully clear: Ukraine’s cyber battlefield isn’t confined to code or firewalls. It’s phones, passports, electricity, and morale. Every compromised registry, spoofed mobile app, or hijacked vendor account is part of a broader effort to erode national resilience.
Now in 2025, the question isn’t whether attacks will continue—it’s whether defenders can adapt faster than adversaries evolve.
That’s the real arms race.
