Russian-Linked Cyberattacks Hit Ukraine and Spill Into Wider European Targets
Ukrainian government, military, banking, and energy targets were repeatedly disrupted by cyber operations tied to Russia and the war around Ukraine. Reports describe attacks on a Ukrainian power station, outages affecting the websites of Ukraine’s defense ministry and major banks, and broader disruptive activity against the country’s financial sector. The UK government later said technical analysis by the National Cyber Security Centre assessed that Russia’s GRU was almost certainly involved in the February 2022 distributed denial-of-service attacks on Ukrainian banking targets, framing the incidents as part of continued Russian aggression.
The campaign also expanded beyond Ukraine through both state-linked and pro-Russian actors. Killnet, a Russia-aligned hacktivist group, claimed retaliatory DDoS attacks on Lithuanian government and business websites after restrictions affecting transit to Kaliningrad, while other reporting said Russian-backed actors continued destructive operations against Ukraine, including wiper malware and attempted power-grid attacks. At the same time, pro-Ukrainian hackers mounted hack-and-leak operations against Russian institutions, underscoring how the conflict evolved into a broader regional cyber confrontation affecting governments, critical infrastructure, and financial services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
17 events from the most recent confirmed update back to the earliest known activity.
Russia accused of targeting border cameras to disrupt aid to Ukraine
By May 2025, Russia was accused of attempting to hack security cameras at border crossings used to move assistance into Ukraine. The alleged activity represented a cyber effort aimed at interfering with logistics and aid delivery rather than the previously documented attacks on banks, telecoms, or the power grid.
Russian cyberattack disrupts Kyivstar and wipes thousands of systems
In December 2023, Ukraine's largest telecom operator Kyivstar was hit by a destructive cyberattack attributed to Russia that caused major service outages. The company's CEO later said the attack wiped thousands of virtual servers and PCs, highlighting the scale of the intrusion.
Russian hackers target cameras inside Ukraine for surveillance
By 2023-04-11, reporting said Russian hackers were attempting to access internet-connected security cameras inside Ukraine, including devices in locations such as coffee shops. The activity suggested an effort to gather real-time visual intelligence from civilian and commercial environments during the war.
Killnet launches DDoS attacks on Lithuanian government and business sites
In June 2022, pro-Russian hacktivist group Killnet conducted distributed denial-of-service attacks against Lithuanian government and business websites, including the State Tax Inspectorate and accounting provider B1.lt. The group said the operation was retaliation for Lithuania's restrictions on transit to Kaliningrad and threatened further disruption.
Russian-linked actors launch hack-and-leak campaign against Russian institutions
By April 2022, hackers aligned with Ukraine or sympathetic to its cause claimed breaches of dozens of Russian institutions, including Roskomnadzor and the F.S.B., and released emails and internal documents online. The leaks were presented as part of the cyber dimension of the Russia-Ukraine war, though much of the material was difficult to independently verify.
Sandworm attempts Industroyer2 attack on Ukrainian substations
In April 2022, Russian state-linked Sandworm actors attempted to deploy Industroyer2 malware against Ukrainian electrical substations. Ukrainian defenders disrupted the operation before it could cause a larger power outage, revealing a new phase of cyber targeting against the country's energy infrastructure.
Ukraine reports propaganda site hijacks and destructive malware campaigns
By 2022-03-04, a senior Ukrainian cyber official said Russian operators had hijacked about 10 local government websites to post false surrender messages and were running targeted email campaigns that delivered destructive malware. He also said Ukraine had identified attempts to infect individual citizens' devices, indicating an expansion of Russian cyber tactics beyond earlier DDoS and phishing activity.
Tech companies mobilize to help Ukraine defend against cyberattacks
By 2022-02-28, major technology companies including Microsoft were publicly described as assisting Ukraine in defending government and critical networks against ongoing Russian cyberattacks during the invasion. The support marked a notable private-sector response alongside the previously documented disruptive attacks on Ukrainian institutions.
Ukraine warns of new wave of phishing attacks
On 2022-02-25, Ukrainian cyber officials warned that a new wave of phishing attacks was targeting users amid the broader conflict. The alert marked a shift from the earlier disruptive DDoS activity to credential-theft and social-engineering operations affecting Ukrainian networks.
Viasat KA-SAT satellite network disrupted at start of Ukraine invasion
On 2022-02-24, a cyberattack hit Viasat's KA-SAT satellite communications network, disrupting modems in Ukraine and elsewhere in Europe. The incident affected communications used around the opening of Russia's invasion and later became a major example of spillover risk in satellite infrastructure.
Wiper malware hits Ukrainian bank and Baltic government contractors
On 2022-02-24, destructive malware attacks reportedly affected a Ukrainian bank and Ukrainian government contractors in Latvia and Lithuania as Russia's invasion began. The activity showed cyber operations accompanying the kinetic assault and extending beyond Ukraine's borders to supporting organizations in neighboring countries.
UK publicly attributes February Ukraine cyberattacks to Russia's GRU
On 2022-02-18, the UK government said technical analysis by the National Cyber Security Centre assessed that Russia's Main Intelligence Directorate was almost certainly involved in the DDoS attacks against Ukraine on 15 and 16 February. The statement framed the activity as part of continued Russian aggression toward Ukraine.
Second day of attacks continues against Ukraine's banking sector
Disruptive attacks against Ukraine's banking and financial sector continued on 2022-02-16, extending the impact beyond the initial wave the previous day. The multi-day activity became the basis for later public attribution by the UK government.
DDoS attacks hit Ukraine's defense ministry and major banks
On 2022-02-15, disruptive cyberattacks knocked offline or degraded the websites of Ukraine's defense ministry, armed forces, and major banks including PrivatBank and Oschadbank. Ukrainian officials said the incidents were large-scale DDoS attacks occurring amid heightened tensions with Russia.
Hackers disrupt Ukrainian government websites
On 2022-01-14, multiple Ukrainian government websites were taken offline or defaced in a cyberattack. The incident marked an earlier wave of disruptive activity against Ukraine's public sector before the February attacks on banks and defense-related sites.
Ukraine says hackers breached document portal and planted malicious files
On 2021-02-24, Ukrainian officials said attackers had compromised a government document-management portal and uploaded malicious files disguised as official documents. Ukraine linked the activity to Russia, describing it as part of ongoing cyber operations against state institutions.
Ukraine's power grid is hacked again, causing a blackout in Kyiv
A cyberattack disrupted a Ukrainian power transmission station in December 2016, causing a brief blackout in part of Kyiv. Researchers later linked the incident to malware known as Industroyer/CrashOverride, marking another major attack on Ukraine's power grid.
Sources
20 references tracked. Mallory keeps watching after this page renders.
Russia accused of trying to hack border security cameras to disrupt Ukraine aid | Russia | The Guardian
theguardian.com
Open sourceCEO of Ukraine's largest telecom operator describes Russian cyberattack that wiped thousands of computers | The Record from Recorded Future News
therecord.media
Open sourceRussian hackers ‘target security cameras inside Ukraine coffee shops’ | Ukraine | The Guardian
theguardian.com
Open sourceRussia’s Viasat Hack Exposed Satellite Industry’s Security Flaws
bloomberg.com
Open sourceRussian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack
thehackernews.com
Open sourceUkraine says Russia hacked its document portal and planted malicious files - Ars Technica
arstechnica.com
Open sourceUkraine's military denies Russian hack attack
web.archive.org
Open sourceCa Ccs
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ukraine Hit by Coordinated Cyberattacks on Government Sites and Banks
Ukraine faced a series of disruptive cyberattacks targeting government ministries, the Defense Ministry, state portals, and major banks, culminating in what officials called the largest **DDoS** campaign in the country’s history. On 15 February, attacks knocked or degraded access to services at PrivatBank, Oschadbank, the Ministry of Defense, government websites, and the **Diia** platform, with Ukrainian officials saying roughly 15 banks were affected. Authorities said the operation had been prepared in advance, originated from multiple countries, and was intended to destabilize society and trigger panic; they also said no theft of funds or personal data had been confirmed, while U.S. partners helped provide technical support and additional protections. The February disruption followed an earlier January intrusion in which multiple Ukrainian ministry websites were hit and a defacement message in Russian, Polish, and Ukrainian falsely warned that citizens’ personal data had been leaked and destroyed. Ukrainian officials said no personal data leak was verified, while the **EU** and **NATO** publicly backed Kyiv and expanded cyber assistance, including closer cooperation and access to malware-sharing resources. The incidents fit a longer pattern of cyber operations against Ukraine, including the **NotPetya** attack that previously disrupted government bodies, banks, utilities, logistics firms, and airport operations and was later publicly attributed by the UK and US to Russia, an accusation Moscow has denied in more recent cases.
May 26, 2026
Russian Cyber Operations Hit Ukraine and Expand to Allied Governments
Ukraine has remained a primary target and proving ground for Russian-linked cyber operations, from the **Petya/NotPetya** outbreak that began via Ukrainian networks and crippled government agencies, banks, transport systems, industrial firms, and Chernobyl monitoring systems, to later destructive malware planted in dozens of Ukrainian government and private-sector networks. Microsoft said the 2022 malware was discovered alongside website defacements affecting Ukrainian entities and appeared designed for later activation, while officials warned such activity could accompany broader military escalation. Earlier attacks on Ukraine’s power grid, election systems, and software supply chain underscored how repeated intrusions against the country have had consequences far beyond its borders. The campaign has also extended well outside Ukraine through espionage and supply-chain compromises attributed by officials and researchers to Russian state actors. Microsoft reported that hackers aligned with Russia targeted organizations in **42 countries** supporting Ukraine, with nearly two-thirds of espionage victims in NATO states and successful intrusions resulting in data theft in at least a quarter of cases. Separately, suspected **S.V.R.** operators were tied to a broad intrusion set affecting at least 40 organizations, including U.S. government agencies, technology firms, and cybersecurity companies, reinforcing warnings that attacks first seen in Ukraine can evolve into wider operations against allied governments and critical sectors.
May 25, 2026
Russian Cyberattacks Disrupted Ukraine Communications via Viasat and Wiper Malware
Russian-linked cyber operations hit Ukraine at the outset of the invasion with both destructive malware and a major satellite communications disruption. Security researchers identified the **HermeticWiper** data-wiping malware on hundreds of systems in Ukraine, with additional impacts reported at a Ukrainian financial institution and government contractors in Latvia and Lithuania. The activity coincided with **DDoS** attacks against Ukrainian government entities and PrivatBank, underscoring a coordinated effort to degrade communications and critical services as military operations began. A parallel attack on Viasat’s **KA-SAT** network knocked 40,000 to 45,000 satellite modems offline, many of them permanently, after attackers compromised a VPN-connected management center in Turin and pushed wiper malware through a software update server. Viasat later said the incident unfolded in two stages, with a second wave using compromised modems to flood company systems and complicate recovery; the disruption spilled into Europe, including outages affecting **5,800 Enercon wind turbines in Germany**. U.S. and EU officials attributed the operation to Russian hackers, and the investigation helped support sanctions announced in 2022.
May 25, 2026