Modern warfare is no longer fought with missiles and tanks alone. Today’s battles extend into the digital realm, where hackers, bots, and algorithms have taken the place of soldiers. The Russian war against Ukraine has starkly demonstrated how digital technologies can be wielded as powerful weapons.
Ukraine has long faced waves of cyberattacks, but over time, these assaults have grown more frequent, sophisticated, and destructive. They have targeted critical infrastructure, government networks, and major enterprises. And while Ukraine might one day hope for at least a temporary truce or a frozen front on the battlefield, there is little reason to expect that cyberattacks against its systems will ease — especially as modern artificial intelligence tools continue to expand the attackers’ reach.
Ukraine: a testing ground for cyberweapons
Ukraine was the first country in the world to face large-scale cyberattacks on its critical infrastructure. Energy companies were prime targets, and these assaults effectively turned the country into a testing ground for a new generation of cyberweapons.
On 23 December 2015, hackers launched a coordinated attack on three Ukrainian energy companies, including Prykarpattyaoblenergo. They gained access to control systems through pre-sent phishing emails. After gathering detailed information on the network, they remotely shut down 30 substations, leaving more than 230,000 people without power. The blackout lasted several hours.
A year later, in December 2016, an even larger attack hit Kyiv’s Pivnichna substation, run by Kyivenenergo. This time, hackers deployed a new malware called Industroyer (or Crash Override), which, unlike the previous attack, could directly manipulate the industrial control protocols of power infrastructure. These two incidents marked the first cyberattacks on energy companies anywhere in the world.
While other countries would later face similar threats, it was Ukraine’s energy systems that became the first victims of cyberstrikes of such destructive scale.
On 27 June 2017, Ukraine faced another cyberattack of unprecedented scale. The NotPetya virus, initially misidentified as a variant of the Petya ransomware, spread through updates of the widely used accounting software M.E.Doc, employed by thousands of Ukrainian companies. The attackers exploited M.E.Doc’s update system to push a malicious update to its users.
NotPetya posed as ransomware, demanding payments in bitcoin, but its true purpose was the complete destruction of data. The attack targeted banks, energy companies, airports, the railway network, telecom providers, and government institutions. Through global supply chains and international corporate networks, NotPetya quickly spread beyond Ukraine, causing widespread damage to companies in the United States, Europe, and around the world.
These attacks fundamentally changed the way the world understands cybersecurity in critical infrastructure. They were an early warning that cyberwarfare is not a matter of science fiction, but a harsh reality — one that has become a central component of modern conventional conflict.
Digital front of the full-scale Russian war
Russia’s full-scale invasion of Ukraine in February 2022 began not only with missile strikes but also with a major cyberattack. Just an hour before the ground offensive commenced, hackers took down Viasat’s satellite internet service, which provided communications for Ukraine’s military, police, and critical infrastructure. The attack crippled tens of thousands of devices across Europe, cutting off not only Ukrainian defence forces but also wind farms in Germany and users in several other countries.
Almost simultaneously, in January and February 2022, hackers targeted the government’s Diia platform and several other state websites, stealing citizens’ personal data. These records were likely intended for intelligence gathering and psychological operations against Ukrainians.
By the end of 2023, Russia struck Ukraine’s communications sector again, this time with a devastating cyberattack on the mobile operator Kyivstar, leaving its network offline for several days.
December 2024 marked the largest cyberattack on Ukraine’s state registries in the country’s history. Hackers stole and destroyed more than a billion records, including civil documents, property ownership files, and company registrations. The prolonged recovery process paralysed many government functions: citizens were unable to obtain essential documents, and businesses could not update operational data. In total, over 60 registries were inaccessible during this period.
A few months later, another critical target was hit. On 23 March 2025, hackers attacked Ukrzaliznytsia, Ukraine’s national railway operator. Passengers could not purchase tickets through the website or mobile app, and the company’s electronic systems remained disrupted for more than a week.
By autumn 2025, cybercriminals shifted tactics, targeting not infrastructure but public trust in Ukraine’s digital services. In September and October, a massive database containing the personal information of roughly 20 million Ukrainians appeared for sale on several closed Telegram channels, presented as yet another leak from Diia.
However, an investigation showed that the files were fake — a patchwork of old commercial data leaks, manually mixed with fabricated entries. The attackers’ aim was clear: to shake public confidence in Diia. Cybersecurity experts noted that using Diia’s name was no accident — it either boosted the files’ value on the black market or formed part of a Russian information operation targeting trust in government digital services like Reserve+ and Army+.
In reality, the data file had been circulating since the summer. The episode stands as a vivid example of how malicious actors manipulate fake hacks and leaks to sow panic and erode trust in the state.
Battle for minds and trust
Russia’s cyberwarfare goes far beyond technical strikes on infrastructure — it also aggressively manipulates the information space. This includes spreading AI-generated disinformation, hacking social media accounts, and recruiting Ukrainians through digital platforms. Officials at Ukraine’s Centre for Strategic Communications and Information Security explained that cyberwarfare also encompasses the spread of fake news on social networks and the recruitment of individuals for terrorist activities:
“If we go by the most common definition of cyberwarfare, spreading propaganda online — including fake news and manipulations — is a core component. Cyberwarfare covers the full spectrum of influence over the information space: blocking and hacking websites, creating clones, altering content on compromised sites, and stealing large datasets for use in information operations. Disinformation is generated and spread through cyber tools, even though the wider information war goes beyond cyberspace.”
Online recruitment is also a key part of cyberwarfare for several reasons. First, the entire process — from initial contact to coordination and reporting — happens online. Second, cyber tools themselves are used to recruit: hackers break into devices, steal personal data to use for blackmail, or gain unauthorised access to bank accounts. Third, payments for sabotage are routed through cryptocurrency, carding, or funds stolen via cyberattacks. Finally, once Russian intelligence gains access to a recruited individual’s devices, they can track their movements, monitor contacts, and even carry out remote detonations.
Pavlo Belousov, tech lead at the digital security hotline Nadiyno, shared his experience defending against cyberattacks. “Over the past year and more, the main issue people come to us at Nadiyno.org with is hacked Telegram accounts. We saw this trend throughout 2024, and it continues today. Every day, we handle several dozen cases just on this issue. The goal hasn’t changed, but attackers constantly evolve their methods and tools. In most cases, it’s phishing or a combination of techniques.”
“I’m convinced attackers will always go where the audience is and where there are gaps — or rather, a lack of safeguards — that let them target users. How they monetise it depends on the situation: they might message contacts asking for money, or they might find something valuable, like passwords, crypto exchange recovery keys, that sort of thing. There are plenty of ways to exploit people. For many users, Telegram is everything: work, personal file storage, a notepad, a news feed.
“This is a systemic problem — at least from our perspective — which means we shouldn’t just help people regain access, we need to prevent these hacks in the first place. Restoring access isn’t simple: it takes time and sometimes requires deleting all data. That’s why we encourage people to act proactively and learn to spot phishing attempts on Telegram. Whenever users take proactive steps and focus on protecting themselves rather than just recovering access, it directly reduces the success — or, rather, increases the failure — of attacks from Russians and other criminals. In most cases, simply following basic security practices is enough to avoid a lot of these attacks and to seriously weaken the effectiveness of the attackers.”
Cyberwar 2025: the new reality and what lies ahead
The Ukraine–Russia war has become a proving ground for the future of cyberwarfare, a laboratory where tactics are being tested that will shape conflicts for years to come. By 2025, cyberwarfare had outgrown its traditional definitions, evolving into a complex hybrid battlefield where strikes on critical infrastructure, large-scale data theft, propaganda, and cybercrime all intersect.
Data from the European Union Agency for Cybersecurity (ENISA) shows a dramatic shift in the motivations behind attacks in recent years. According to its 2025 report, nearly 80% of all cyberattacks that year were politically motivated, while purely financial attacks accounted for just 13.4%. The message is clear: today’s cyberwarfare is less about money and far more about inflicting damage on states and societies.
Artificial intelligence has become the defining weapon of our age. Russian cyber operators are using it to craft highly convincing phishing lures, automate malware mutations and launch sophisticated social‑engineering attacks that slip past traditional defences. AI speeds up reconnaissance, helps evade defensive measures and enables rapid, large‑scale coordinated strikes.
The history of Ukraine’s cyber resistance shows that cyberwarfare has become an inseparable part of modern hybrid conflicts. Even when large-scale DDoS campaigns don’t trigger major outages, their combination with disinformation and public opinion manipulation steadily weakens the resilience of digital ecosystems. Attacks on critical state infrastructure have become a core element of a broader strategy to destabilise society.
Ukraine’s experience makes it clear that future conflicts will be fought on multiple fronts at once — technical, informational, and psychological. A strong cyberdefence ecosystem is now as essential as traditional military defence. The war in Ukraine stands as a stark warning to Europe and the democratic world: cyberwarfare and AI-driven conflict are no longer distant threats — they are happening here and now.
