Russian Cyber Operations Hit Ukraine and Expand to Allied Governments
Ukraine has remained a primary target and proving ground for Russian-linked cyber operations, from the Petya/NotPetya outbreak that began via Ukrainian networks and crippled government agencies, banks, transport systems, industrial firms, and Chernobyl monitoring systems, to later destructive malware planted in dozens of Ukrainian government and private-sector networks. Microsoft said the 2022 malware was discovered alongside website defacements affecting Ukrainian entities and appeared designed for later activation, while officials warned such activity could accompany broader military escalation. Earlier attacks on Ukraine’s power grid, election systems, and software supply chain underscored how repeated intrusions against the country have had consequences far beyond its borders.
The campaign has also extended well outside Ukraine through espionage and supply-chain compromises attributed by officials and researchers to Russian state actors. Microsoft reported that hackers aligned with Russia targeted organizations in 42 countries supporting Ukraine, with nearly two-thirds of espionage victims in NATO states and successful intrusions resulting in data theft in at least a quarter of cases. Separately, suspected S.V.R. operators were tied to a broad intrusion set affecting at least 40 organizations, including U.S. government agencies, technology firms, and cybersecurity companies, reinforcing warnings that attacks first seen in Ukraine can evolve into wider operations against allied governments and critical sectors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft reports Russian espionage targeting 42 Ukraine-supporting countries
On June 22, 2022, Microsoft said state-backed Russian hackers had conducted strategic espionage against organizations in 42 countries supporting Ukraine, with successful intrusions in 29 percent of cases and data theft in at least a quarter of successful compromises. The company said nearly two-thirds of targets were in NATO countries and also reported intensified Russian influence operations after the invasion.
Microsoft details cyber threat activity during Russia's invasion of Ukraine
On 2022-02-28, Microsoft published analysis of ongoing cyber threat activity in Ukraine, describing destructive and disruptive operations accompanying Russia's invasion and linking observed activity to Russian state-aligned actors. The report marked a public technical update on the wartime cyber campaign beyond the earlier January malware discovery.
Microsoft detects destructive malware on Ukrainian networks
On January 13, 2022, Microsoft discovered a highly destructive malware strain staged on dozens of Ukrainian government and private-sector networks, including government, nonprofit, and IT organizations. Microsoft and U.S. officials said the actor had not yet been specifically attributed at that time, though they warned such cyberattacks could accompany broader Russian escalation.
Website defacements hit Ukrainian government agencies
On January 13, 2022, Ukrainian government agencies reported website defacements amid heightened tensions with Russia. The defacements coincided with the discovery of a separate destructive malware operation on Ukrainian networks.
Suspected Russian SolarWinds espionage campaign expands to at least 40 victims
By December 2020, Microsoft disclosed that suspected Russian hackers had infiltrated at least 40 organizations, including technology firms, government agencies, and think tanks, in a broad espionage campaign. U.S. officials said the Department of Energy and National Nuclear Security Administration were affected, and intelligence agencies reportedly assessed the operation was conducted by Russia's SVR.
Petya/NotPetya outbreak begins in Ukraine and spreads globally
On June 27, 2017, the Petya outbreak started in Ukraine, disrupting government networks, banks, industrial firms, transportation systems, and radiation-monitoring systems at Chernobyl before spreading to dozens of countries and international companies. Microsoft and ESET said the attack initially targeted Ukrainian accounting software vendor M.E.Doc, which later denied being the origin point.
Russian cyberattacks begin targeting Ukrainian infrastructure
Since 2014, Ukraine has faced repeated cyberattacks against critical infrastructure and government-related systems, including incidents affecting the power grid and election systems. Ukrainian officials publicly suspected Russian involvement, though direct proof was not established in the cited reporting.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies
voanews.com
Open sourceCyber threat activity in Ukraine: analysis and resources
microsoft.com
Open sourceMicrosoft Warns of Cyber Attack on Ukrainian Computer Networks - The New York Times
nytimes.com
Open sourceMalware attacks targeting Ukraine government - Microsoft On the Issues
blogs.microsoft.com
Open sourceMore Hacking Attacks Found, Officials Warn of Risk to U.S. Government - The New York Times
nytimes.com
Open sourceUkraine Is 'Ground Zero' For Hackers In Global Cyberattacks
rferl.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian-Linked Cyberattacks Hit Ukraine and Spill Into Wider European Targets
Ukrainian government, military, banking, and energy targets were repeatedly disrupted by cyber operations tied to Russia and the war around Ukraine. Reports describe attacks on a Ukrainian power station, outages affecting the websites of Ukraine’s defense ministry and major banks, and broader disruptive activity against the country’s financial sector. The UK government later said technical analysis by the National Cyber Security Centre assessed that Russia’s **GRU** was almost certainly involved in the February 2022 distributed denial-of-service attacks on Ukrainian banking targets, framing the incidents as part of continued Russian aggression. The campaign also expanded beyond Ukraine through both state-linked and pro-Russian actors. **Killnet**, a Russia-aligned hacktivist group, claimed retaliatory **DDoS** attacks on Lithuanian government and business websites after restrictions affecting transit to Kaliningrad, while other reporting said Russian-backed actors continued destructive operations against Ukraine, including **wiper malware** and attempted power-grid attacks. At the same time, pro-Ukrainian hackers mounted hack-and-leak operations against Russian institutions, underscoring how the conflict evolved into a broader regional cyber confrontation affecting governments, critical infrastructure, and financial services.
May 25, 2026
Ukraine Hit by Coordinated Cyberattacks on Government Sites and Banks
Ukraine faced a series of disruptive cyberattacks targeting government ministries, the Defense Ministry, state portals, and major banks, culminating in what officials called the largest **DDoS** campaign in the country’s history. On 15 February, attacks knocked or degraded access to services at PrivatBank, Oschadbank, the Ministry of Defense, government websites, and the **Diia** platform, with Ukrainian officials saying roughly 15 banks were affected. Authorities said the operation had been prepared in advance, originated from multiple countries, and was intended to destabilize society and trigger panic; they also said no theft of funds or personal data had been confirmed, while U.S. partners helped provide technical support and additional protections. The February disruption followed an earlier January intrusion in which multiple Ukrainian ministry websites were hit and a defacement message in Russian, Polish, and Ukrainian falsely warned that citizens’ personal data had been leaked and destroyed. Ukrainian officials said no personal data leak was verified, while the **EU** and **NATO** publicly backed Kyiv and expanded cyber assistance, including closer cooperation and access to malware-sharing resources. The incidents fit a longer pattern of cyber operations against Ukraine, including the **NotPetya** attack that previously disrupted government bodies, banks, utilities, logistics firms, and airport operations and was later publicly attributed by the UK and US to Russia, an accusation Moscow has denied in more recent cases.
May 26, 2026
Russian GRU Targets Western Logistics and Defense Supply Chains for Ukraine Intelligence
A joint government advisory says Russia’s GRU Unit 26165, also tracked as **APT28** or **Fancy Bear**, has run a sustained cyberespionage campaign against Western logistics providers, technology companies, and defense supply-chain organizations supporting aid flows to Ukraine. The activity has affected entities in the United States, Germany, Poland, France, and Ukraine, with intrusions aimed at transportation networks, IT services, and military-related logistics. Officials said the operators also sought visibility into aid movements by compromising internet-connected IP cameras positioned near border crossings, rail hubs, and military facilities. Authorities linked the campaign to long-running GRU tradecraft previously used against governments, militaries, defense contractors, and cloud and email environments including Microsoft Office 365 and on-premises Exchange. Reported access methods include password spraying, brute-force and credential-guessing attacks, spearphishing, exploitation of known vulnerabilities including `CVE-2020-0688` and `CVE-2020-17144`, and the use of malware such as **HEADLACE** and **MASEPIE**, alongside web shells, Tor, VPNs, and living-off-the-land techniques to persist and exfiltrate data. Agencies warned the espionage effort remains active and urged organizations to enforce MFA, patch exposed systems, tighten access controls, monitor for lateral movement, and review supply-chain risk.
May 25, 2026