Has Russia conducted cyberattacks against Ukraine?

Yes. Russia has conducted thousands of documented cyberattacks against Ukraine. Over 5,000 attacks on Ukrainian government systems were recorded in 2022–2023 alone (SSSCIP). Russian state groups including Sandworm and APT28 began attacks months before the February 2022 invasion, deploying WhisperGate in January 2022 and HermeticWiper on the night before the full-scale assault.

What was the Viasat satellite hack on February 24, 2022?

On the morning of the invasion, Russian GRU hackers deployed AcidRain wiper malware against Viasat's KA-SAT satellite network, destroying ~40,000 modems across Europe. Ukraine's military lost satellite communications on day one of the war. The attack's spillover disrupted wind turbines in Germany. The US, UK, and EU jointly attributed this attack to Russia in May 2022.

What was the Kyivstar cyberattack in December 2023?

In December 2023, Russia's Sandworm group destroyed Kyivstar's core IT infrastructure after a long-dwell intrusion. The network went offline for 2+ days, cutting mobile communications for 24 million Ukrainians. Air-raid warning systems were disrupted in some areas. Ukraine's SBU attributed the attack directly to Sandworm (GRU). Ukraine retaliated in January 2024 by destroying M9com, a Russian ISP serving Moscow.

💻

Cyber War — Russia vs Ukraine Tracker

Q: What is Sandworm and what has it done in Ukraine?

Sandworm (GRU Unit 74455, also called Voodoo Bear) is widely considered the world's most destructive hacker group. In Ukraine it caused the 2015–2016 power grid outages, deployed NotPetya in 2017, attacked Viasat's satellite network on invasion day (Feb 24, 2022), attempted to destroy a power substation with Industroyer2 (April 2022), and destroyed Kyivstar's mobile network serving 24 million Ukrainians (December 2023).

Q: What is the Ukraine IT Army?

The Ukraine IT Army is a volunteer hacktivist collective launched February 26, 2022 by Ukraine's Ministry of Digital Transformation. Coordinated via a public Telegram channel and overseen by Ukraine's SSSCIP, it grew to 300,000+ members from 52+ countries. It conducts DDoS attacks and data leak operations against Russian banks, state media, and government infrastructure — the world's largest organized hacktivist force.

Russia's full-scale invasion began with a wave of cyberattacks hours before the first missiles. Since then, Russian state hackers (Sandworm, APT28, Cozy Bear) have conducted over 5,000 documented attacks on Ukraine while Ukraine's IT Army — 300,000+ volunteers — hit back against Russian banks, infrastructure, and state media.

Last updated: March 2026 · Sources: CERT-UA, SSSCIP Ukraine, Microsoft MSTIC, ESET Research, Mandiant/Google TAG

5,000+

Russian attacks on Ukraine (2022–23)

Sandworm

World's most destructive hacker group

300,000+

Ukraine IT Army volunteer members

24M

Ukrainians hit by Kyivstar hack (Dec 2023)

Key Cyber Threat Actors

Sandworm

Also known as: Voodoo Bear, Iron Viking, IRIDIUM, GRU Unit 74455

APT Group

🏛️ Russian GRU Military Intelligence

Specialization: Critical infrastructure attacks, ICS/SCADA, wiper malware, satellite systems

Notable operations: NotPetya (2017), Ukraine power grid attacks (2015, 2016), Viasat (2022), Industroyer2 (2022), Kyivstar (2023)

APT28 / Fancy Bear

Also known as: Sofacy, STRONTIUM, Forest Blizzard, GRU Unit 26165

APT Group

🏛️ Russian GRU Military Intelligence

Specialization: Espionage, credential theft, election interference, NATO targeting

Notable operations: DNC hack (2016), Bundestag hack, Ukrainian military targeting, energy sector spearphishing

Cozy Bear / APT29

Also known as: The Dukes, Midnight Blizzard, SVR Group

APT Group

🏛️ Russian SVR Foreign Intelligence

Specialization: Long-term espionage, supply chain attacks, cloud infiltration

Notable operations: SolarWinds supply chain (2020), Diplomatic targeting of Ukraine's allies, Microsoft email breach (2024)

Killnet

Also known as: KillNet Collective

Hacktivist

🏛️ Pro-Russian hacktivist group (GRU-adjacent)

Specialization: DDoS attacks against NATO countries

Notable operations: DDoS against US, Germany, Italy, Latvia, Lithuania, Romania government sites; symbolic impact

Ukraine IT Army

Also known as: IT Army of Ukraine

Hacktivist

🏛️ Ukraine-aligned volunteer hacktivist collective, coordinated by SSSCIP

Specialization: DDoS, data leaks, Russian infrastructure disruption

Notable operations: Largest DDoS attacks on Russian banking, state media, RuTube, Sberbank, RZhD railways

Gamaredon / Armageddon

Also known as: UAC-0010, Primitive Bear, Shuckworm, FSB Crimea group

APT Group

🏛️ Russian FSB Federal Security Service (Crimea-based unit)

Specialization: Mass spearphishing, remote access trojans, persistent low-sophistication high-volume attacks on Ukrainian military and government

Notable operations: Most prolific Russia APT targeting Ukraine since 2014; 5,000+ Ukrainian targets; deployed GAMMASTEEL, PTERODO malware; 2023–2024 phishing surge against Ukrainian armed forces

Major Cyber Incidents Log

Cyberattacks on Ukraine by Year (SSSCIP data)

Year	Total Incidents	Critical Infra Attacks	Dominant Vector	Top Actor
2022	2,194	420+	Wiper malware, DDoS	Sandworm (GRU)
2023	2,543	518	Spearphishing, espionage	Gamaredon (FSB)
2024	3,100+	600+	Phishing, supply chain	Gamaredon, APT28
2025	3,450+	640+	AI-assisted phishing, espionage	Gamaredon, Sandworm
2026 (Q1)	890+	170+	AI-assisted phishing	Multiple GRU/FSB

Source: SSSCIP Ukraine quarterly cyber threat reports

Jan 13–14, 2022Russian State

GRU / Sandworm

🎯 Target: Ukrainian government websites (70+ sites defaced)

🔧 Method: WhisperGate wiper malware + web defacement

Cabinet of Ministers, Foreign Ministry, Education Ministry sites defaced. "Be afraid and expect the worst." Data wiper deployed on Ukrainian systems — disguised as ransomware.

Attribution: Microsoft MSTIC, CISA attributed to GRU-linked actors

Feb 23–24, 2022Russian State

GRU / Sandworm

🎯 Target: Ukrainian military, government, financial institutions

🔧 Method: HermeticWiper, IsaacWiper — data destruction malware

Destructive wiper malware deployed across hundreds of Ukrainian systems hours before invasion. Designed to brick devices permanently. Coordinated with military offensive.

Attribution: ESET, Symantec, SentinelOne; attributed to GRU

Feb 24, 2022Russian State

GRU

🎯 Target: Viasat KA-SAT satellite communications network

🔧 Method: AcidRain wiper targeting satellite modems

Took down ~40,000 satellite modems across Europe. Ukraine's military relied on Viasat for communications — lost connectivity for hours on invasion day. Spillover affected wind turbines in Germany.

Attribution: US, UK, EU jointly attributed to Russia (GRU); confirmed May 2022

Apr 2022Russian State

Sandworm (GRU Unit 74455)

🎯 Target: Ukrainian energy company (Ukrenergo substation)

🔧 Method: Industroyer2 — ICS/SCADA-targeting malware

Attempted to shut down high-voltage electrical substation in Ukraine. CERT-UA and ESET detected and neutralized before execution. Most sophisticated ICS attack since original Industroyer (2016).

Attribution: CERT-UA + ESET joint investigation; GRU Unit 74455

May–Jun 2022Russian Hacktivist

Killnet

🎯 Target: NATO countries' government sites (USA, Germany, Italy, Romania, Latvia)

🔧 Method: DDoS attacks

Temporary disruptions to government websites in multiple NATO states. More noise than effect — politically symbolic rather than operationally significant.

Attribution: Self-claimed by Killnet Telegram channel; believed GRU-adjacent

Jul 2022Ukraine Hacktivist

Ukraine IT Army

🎯 Target: Russian banks, government sites, state media (TASS, RIA Novosti)

🔧 Method: Coordinated DDoS; data leaks

Temporary disruption of Sberbank, VTB, Russian state television portals. Sberbank reported largest DDoS in its history. IT Army grew to 300,000+ volunteer participants globally.

Attribution: Ukraine IT Army — Telegram-coordinated volunteer hacktivist collective, guided by Ukraine SSSCIP

Oct 2022Russian State

GRU / APT28

🎯 Target: Ukrainian and European energy sector

🔧 Method: Spearphishing, credential theft, network intrusion

Reconnaissance of European energy suppliers providing aid to Ukraine. Pre-positioning for potential disruption during winter energy crisis. Detected and disrupted by national CERTs.

Attribution: NSA, CISA joint advisory; APT28 (GRU Unit 26165)

Dec 2023Russian State

Sandworm

🎯 Target: Kyivstar — Ukraine's largest mobile network (~24M subscribers)

🔧 Method: Long-dwell network intrusion; wiper malware

Complete destruction of Kyivstar's core infrastructure. Network down 2+ days. 24 million Ukrainians without mobile service. No voice, SMS, or mobile internet. Air raid warning systems disrupted in some areas.

Attribution: Ukrainian SBU directly attributed to Sandworm (GRU). Kyivstar CEO confirmed Russian military hackers.

Jan 2024Ukraine

Ukraine GUR / IT Army

🎯 Target: M9com — Russian internet service provider

🔧 Method: Intrusion and destructive attack

Took down M9com — major ISP serving Moscow. Disrupted internet access for thousands of Russian users and state organizations. Retaliation for Kyivstar attack.

Attribution: Ukraine's GUR (Military Intelligence) claimed responsibility

2022–2026Russian State

Multiple Russian APTs

🎯 Target: Ukrainian critical infrastructure (ongoing)

🔧 Method: Espionage, wiper malware, spearphishing, supply chain

Continuous campaign: 5,000+ cyberattacks on Ukrainian government systems in 2022–23 alone (SSSCIP data). Russia shifted strategy from destructive to persistent espionage after Ukraine hardened defenses. In 2025–2026 AI-assisted spearphishing targeting Ukrainian military networks intensified.

Attribution: CERT-UA, SSSCIP quarterly reports; multiple APT groups

Cyber War Lessons

Cloud Migration Saved Ukraine

Before the invasion, Ukraine moved government data to cloud (Microsoft, Amazon). Russian attacks destroyed server rooms but couldn't erase cloud backups. A critical pre-war resilience decision.

Viasat Attack Effect

The Feb 24 Viasat attack was the most consequential — it disrupted Ukrainian military comms on invasion day. SpaceX's Starlink deployment became critical as a result. A model for "D-Day" cyberattack coordination.

Ukraine's Cyber Allies

Microsoft, Google, Amazon, Cisco all provided emergency cyber defense support. EU activated its Cyber Diplomacy Toolbox. CrowdStrike, ESET deployed teams in Ukraine. Unprecedented private-sector war effort.

IT Army Effectiveness

Ukraine's 300,000-volunteer IT Army is the world's largest hacktivist force. Coordinated via Telegram, it targeted Russian banks, railways, state media. Real disruption but hard to quantify strategically.

Frequently Asked Questions

Has Russia hacked Ukraine during the war?

Yes. Russia has conducted thousands of documented cyberattacks against Ukraine. Over 5,000 attacks on Ukrainian government systems were recorded in 2022–2023 (SSSCIP). Russian state hackers began operations months before the February 2022 invasion: WhisperGate wiper malware was deployed on January 13–14, 2022, followed by HermeticWiper and IsaacWiper deployed the night before the full-scale invasion.

What is Sandworm and what has it done in Ukraine?

Sandworm (GRU Unit 74455, aka Voodoo Bear) is the world's most destructive hacker group. Ukraine has been its primary target for over a decade. Key Ukraine operations: 2015–2016 electricity grid blackouts (first ICS attacks in history), NotPetya global wiper (2017), Viasat satellite hack on invasion day (Feb 24, 2022), Industroyer2 power grid attack (Apr 2022), and the Kyivstar mobile network destruction (Dec 2023).

What was the Viasat KA-SAT hack in February 2022?

On the morning of the full-scale invasion (Feb 24, 2022), Russian GRU hackers deployed AcidRain wiper malware against Viasat's KA-SAT satellite network, destroying ~40,000 modems. Ukraine's military lost satellite comms on day one. Spillover disrupted wind turbines in Germany and users across central Europe. The US, UK, and EU jointly attributed the attack to Russia in May 2022. It accelerated Starlink's critical role in Ukraine.

What is the Ukraine IT Army and how effective is it?

The Ukraine IT Army is a hacktivist collective launched by Ukraine's Ministry of Digital Transformation on February 26, 2022. Coordinated via Telegram, it grew to 300,000+ volunteers from 52+ countries. It conducts DDoS attacks and data leak operations against Russian banks (Sberbank, VTB), state media (TASS, RIA Novosti), and government services. Sberbank reported the largest DDoS in its history during this campaign.

What was the Kyivstar hack and why does it matter?

In December 2023, Sandworm destroyed Kyivstar's entire core IT infrastructure after months of undetected access. Ukraine's largest mobile operator (24 million subscribers) went offline for 2+ days. Ukrainians lost voice, SMS, and mobile internet. Air-raid warning systems in several areas were disrupted. The SBU attributed the attack directly to Sandworm (GRU). Ukraine retaliated in January 2024 by destroying M9com, a Moscow ISP.

Data Sources

CERT-UA (Computer Emergency Response Team of Ukraine) — official incident reports and malware analysis
SSSCIP (State Service of Special Communications and Information Protection of Ukraine) — quarterly cyber threat assessments
Microsoft MSTIC (Microsoft Threat Intelligence Center) — Ukraine-focused nation-state threat reports
ESET Research — technical analysis of Industroyer2, HermeticWiper, AcidRain and other Ukraine-targeted malware
Mandiant / Google Threat Analysis Group (TAG) — Russian APT group attribution and Ukraine campaign analysis

Energy Grid Attacks Infrastructure Damage Missile & Drone Attacks War Crimes Tracker Sanctions on Russia Data Sources

Cyber War — Russia vs Ukraine Tracker

Key Cyber Threat Actors

Sandworm

APT28 / Fancy Bear

Cozy Bear / APT29

Killnet

Ukraine IT Army

Gamaredon / Armageddon

Major Cyber Incidents Log

Cyberattacks on Ukraine by Year (SSSCIP data)

Cyber War Lessons

Cloud Migration Saved Ukraine

Viasat Attack Effect

Ukraine's Cyber Allies

IT Army Effectiveness

Frequently Asked Questions

Data Sources

Related Pages