In 2025, continued attacks on the public sector and critical infrastructure shaped Ukraine’s cyberspace, as the aggressor sought to advance its war objectives and erode Ukrainian morale.
According to Microsoft’s Digital Defense Report 2025, Ukraine was the most targeted country in Europe by state-backed threat actors. When conventional cybercrime is also taken into account, the same report ranks Ukraine fifth globally in terms of the intensity of cyberattacks.
The most common types of incident changed little: phishing, the distribution of malware for various purposes, malware infections, and the compromise of accounts and information systems all remained prevalent.
Interest in Signal messages
Cyberattacks and attempted intrusions are part of everyday life in Ukraine, as they are elsewhere, and threat actors seek to exploit both technological developments and user habits. In February, threat analysts at Google reported growing activity by Russian state-backed actors targeting the Signal messaging app, aiming to gain access to the accounts of individuals of interest and collect valuable intelligence.
In many cases, attackers abused Signal’s feature that allows a single account to be linked to multiple devices. Linking a device requires the user to scan a QR code; if attackers succeeded in tricking victims into scanning a QR code they had generated themselves, the entire message history would then be synchronised to a device under their control. To create a convincing pretext for scanning the code, attackers forged Signal’s own instructions or imitated applications used within the Ukrainian armed forces.
In late June, Ukraine’s CERT-UA disclosed a second wave of attacks in which malware-laden documents were sent to government officials via messaging apps. Once again, these were precisely targeted attacks built around carefully constructed and highly credible contexts.
Attacks on critical infrastructure
Attacks against critical infrastructure continued. In March, a cyberattack hit Ukraine’s state-owned railway operator, Ukrzaliznytsia, disrupting ticket sales on its website and mobile app for several days. Long queues formed at ticket offices in major stations, although train operations and timetables were not affected. Ukrzaliznytsia is one of the world’s largest passenger and freight rail companies and plays a vital role in the war effort, including in the evacuation of civilians.
Artificial intelligence in the hands of attackers
A broader global trend in 2025 was the use of artificial intelligence (AI) to enhance the effectiveness of cyberattacks, and this was also evident in Ukraine. Experts assess that AI tools were used both to make phishing attempts more convincing and to assist in writing malware code. Traces of AI-generated code have been identified, for example, in malware known as Wrecksteel, which was used in attacks against Ukrainian government bodies and critical infrastructure. Wrecksteel’s purpose was to locate sensitive files on a network and exfiltrate them to a server under the attackers’ control.
A hardened defence
Years of operating under sustained attention from attackers of varying backgrounds – and, in some respects, serving as a testing ground for Russian groups – have hardened Ukraine’s cyber defenders and gradually increased the country’s cyber resilience.
As noted, 2025 was the first year since the start of Russia’s full-scale invasion in which Ukraine did not suffer a cyberattack with a major societal impact.
The situation in cyberspace remains fluid, however. Because serious attacks typically require lengthy and well-concealed preparation, no far-reaching conclusions should be drawn from a single year of relative success. Estonia, like other countries, should therefore closely follow developments in Ukraine’s cyberspace, as similar attack methods and patterns may appear elsewhere as part of Russia’s broader hybrid campaign against the West.
Last updated: 11.02.2026
