How would you characterise the cyberattacks against Ukraine in 2025? What has changed compared to the previous year?
We observed a shift in the adversary's focus toward cyber intelligence, particularly espionage targeting the military and defence-industrial sectors. New threats have emerged in the cyber arena, and Russia is actively recruiting additional forces for attacks, often compensating for a lack of quality with quantity. In the past year alone, we have begun tracking about 20 new clusters of cyber threats.
An additional factor in this rapid development is the spread of artificial intelligence technologies. While in 2024 it was mainly used to generate phishing messages, in 2025, we saw not only malware created with the help of artificial intelligence, but also malware that internally uses AI algorithms to carry out malicious actions.
The number of destructive attacks has not decreased either. At the same time, they have become less noticeable, as a significant portion of such cyberattacks was neutralised in the early stages, which reduced their public resonance.
Have you seen any novel tactics by the nation-state threat actors in cyberspace? Are there any significant new threat groups that have emerged?
As mentioned earlier, we began tracking about 20 new cyber threat clusters in 2025. At the same time, known hacker groups, including state-sponsored ones, have not disappeared and continue to evolve. The development of protective measures forces attackers to change their approaches, which in turn leads to further improvements in protection. This is a continuous cycle of mutual adaptation.
The hackers’ “cyber arsenal” is constantly expanded with new malware samples, including those that use advanced technologies. One example is the LAMEHUG malware used by the Russian GRU (UAC-0001, also known as APT28).
Today, malware distribution is no longer just a phishing email with an attachment, but often a complex social engineering operation that can last several days. At the same time, attackers have been actively using zero-click vulnerabilities as an alternative attack vector.
Overall, the last year was characterised by the active adaptation and development of hacker tactics, techniques, and procedures.
In December 2024, Ukraine experienced a cyberattack that affected several government databases. As a result, for a few weeks, people were unable to sell cars, file legal claims or register marriages digitally. Is there any lesson learned from this attack that you would like to share with Estonia?
Even the most advanced cybersecurity measures cannot guarantee 100% security – any organisation can become a target of attack at any time. That is why it is critically important to be prepared for the worst-case scenario, and backups must be stored in an isolated environment, separate from production systems. That remains the key to fast and controlled recovery.
What are some success stories from last year regarding thwarting cyberattacks against critical infrastructure?
Reducing the number of cyberattacks that achieve their goals is in itself an indicator of success. We focus on efficiency, particularly the exchange of actionable information about cyber threats in real time or as close to it as possible.
For example, in February 2025, we detected a cyberattack conducted by the Sandworm group. The primary method of infiltration was the distribution of emails with malicious attachments. Our analysis of this campaign revealed similar activity directed against more than 20 logistics companies and 25 developers of automated process control systems in Ukraine, as well as organisations in other European countries. This allowed us to respond quickly and prevent the attack from succeeding.
Combining this exchange with the experience and high qualifications of local specialists who clearly understand how to respond to such signals enables the timely detection and neutralisation of attacks.
We are grateful to everyone who contributes to the exchange of information about cyber threats and shares their knowledge. We not only receive this data but also give back to the community our own experience and relevant information – because sharing is caring.
If 2026 should bring a ceasefire or peace agreement for Ukraine, what would the implications be in cyberspace? Do you think cyberattacks against your country would continue regardless? Or would Russia focus its attention elsewhere?
It is next to impossible to predict Russia’s actions. Of course, we always hope for the best, but we are also preparing for any scenario. Even before the full-scale invasion, Russia carried out terrorist cyberattacks on Ukraine's energy infrastructure and continues to use cyberspace as a base for hybrid operations against Western countries, our partners, and anyone else they are interested in. Therefore, even if a peace agreement is signed, it is unlikely that attacks in cyberspace will stop completely. Their number may decrease, but they will not disappear.
From the outside, it appears that the last really destructive cyberattack in Ukraine was the one against Kyivstar in December 2023. Considering the ongoing warfare in Ukrainian cyberspace, do you think the worst is behind you, or is the worst yet to come?
We have survived more than one destructive cyberattack – Kyivstar in December 2023, state registries in December 2024, and Ukrainian Railways in March 2025. Our constant improvements to our cyber defence are probably why December 2025 was relatively calm. Does this mean that the worst is behind us? I don't think so – the enemy is constantly carrying out cyberattacks. Some of them are more successful, others less so. We are doing everything possible to prevent the worst, but if it does happen, we will be ready.
Last updated: 11.02.2026
