As we mark the third anniversary of the Russian invasion of Ukraine in February 2022, it is essential to reflect on the profound impact this conflict has had on the global cyber security landscape. The war has not only reshaped geopolitical dynamics but has also significantly influenced the nature and frequency of cyber threats, cyber crime, operational technology (OT) attacks, and hacktivism.
In the early stages of the conflict, we observed a disruption in cyber extortion operations by actors based in the region, as the chaos of war created instability for these criminal enterprises as much as for regular citizens. However, as the situation stabilised, cyber extortion surged once again, with actors bouncing back to new levels of activity. The Security Navigator 2025 report highlights that while growth in cyber extortion incidents has since “stabilised,” the tactics employed by cyber criminals have evolved, for example with AI tools being utilised to enhances attackers’ operational performance and makes it relatively easy to produce phishing and other social engineering techniques.
The war has also catalysed a rise in targeted cyber threats against critical infrastructure, particularly in Ukraine. The report emphasises that “targeted Operational Technology (OT) threats” have surged, with state-sponsored actors leveraging cyber capabilities to disrupt essential services. Russian Advanced Persistent Threat (APT) groups like Sandworm have been linked to several destructive malware campaigns, including the deployment of ‘HermeticWiper’ and ‘CaddyWiper,’ which aim to erase critical data and disrupt operations within Ukrainian organisations. These attacks have been characterised by their sophistication and sometimes coordination with kinetic military operations, demonstrating a clear strategy to undermine Ukraine’s resilience.
Intelligence reports also detail the activities of the Gamaredon group, a Russian state-sponsored actor responsible for extensive cyber espionage campaigns against Ukrainian entities. This group has been active since 2014 and has been exceptionally busy of late, primarily targeting government systems to exfiltrate sensitive information. Its recent campaigns have involved spear-phishing attacks and the deployment of custom malware.
The hacktivist element
Hacktivism has also evolved dramatically and gained momentum in response to the conflict, with various groups taking sides and launching cyber operations to support their political agendas. The report notes that “sophisticated hacktivism” has become a significant concern, as these actors engage in disruptive activities that can further escalate tensions and complicate the security landscape. Pro-Ukrainian hacktivist groups, such as the IT Army of Ukraine, have mobilised to target Russian entities, while pro-Russian groups like Killnet have launched DDoS attacks against Western organisations. The scale of these operations has been unprecedented, with reports indicating that DDoS attacks targeting Ukrainian websites increasing dramatically in the early months of the conflict.
The implications of hacktivism extend beyond mere disruption; they represent a new frontier in cyber conflict. The rise of pro-Russian hacktivism has introduced a layer of complexity to the conflict, as groups like Killnet and NoName057(16) have claimed responsibility for numerous attacks against perceived adversaries, including government institutions and private companies in NATO countries. These groups operate with a level of anonymity, making it challenging to attribute attacks and hold them accountable.
In this context, the concept of “cognitive attacks” has emerged as a significant concern. Cognitive attacks exacerbate the impact of DDoS and other technical attacks, and aim to manipulate public perception and sow discord through disinformation campaigns, often leveraging social media and other digital platforms. The Russian government has employed these tactics extensively, using state-sponsored actors to disseminate false narratives and undermine support for Ukraine, but a new generation of pro-establishment hacktivist actors are operating from the same playbook. The Security Navigator highlights that “ disinformation campaigns are designed to erode trust in institutions and create confusion among the populace,” making them a potent tool in modern cyber conflict.
As we reflect on the past three years, we acknowledge the resilience of the Ukrainian people and the global community’s response to the crisis. The lessons learned from this conflict serve as a reminder of the interconnectedness of our digital and physical worlds and the need for vigilance in the face of evolving threats.
The ongoing war in Ukraine has reshaped the cyber threat landscape. As we face another year characterised by conflict and uncertainty, we must remain committed to fostering a secure and resilient digital environment for all.
Charl Van Der Walt is head of security research at Orange Cyberdefense.
