The number of critical, high-impact incidents declined in 2024, but the total number of incidents and attacks targeting government institutions and local authorities increased.
Cybercrime for financial gain, state-linked groups targeting critical infrastructure and covert cyber intelligence activities have continued unabated.
Cyberattacks supporting military objectives
A notable trend has been the increasingly systematic use of cyberattacks to support military objectives. Cyberattacks against the security and defence sectors increased compared to the previous year, and Russia intensified efforts to gather intelligence via Ukrainian military personnel’s devices.
Analysts from the cybersecurity company Mandiant reported on the consistent activities by the Russian state-linked group APT44, which hacked into the phones and other stolen devices of fallen Ukrainian soldiers to extract conversations and data. Enemy cyber activities aimed at monitoring troop movements and logistical chains have, in some cases, moved directly to the frontline.
Both military personnel and civilians are increasingly targeted through communication apps. Malware is distributed through these apps for financial gain and intelligence purposes, while compromised applications can also reveal the locations of users, such as military units.
As a result, Ukraine’s National Security and Defence Council decided in September to ban the use of Telegram on devices used by government agencies, the defence sector and critical infrastructure employees. Kyiv National University followed suit by prohibiting Telegram for its staff and advising students to limit its use. Despite these restrictions, Telegram remains one of the primary communication and news platforms in Ukraine. Even after the restrictions, exceptions were made for officials whose roles require ongoing public interaction.
What is APT44?
- APT44 is a technically sophisticated hacker group linked to Russian military intelligence, also known as Sandworm.
- It is one of the main state-backed cyber threats in Ukraine, though it operates elsewhere as well.
- The group is active in disrupting critical infrastructure, conducting cyber intelligence and executing influence operations.
- In 2015 and 2016, it attacked Ukraine’s power grid, causing outages affecting hundreds of thousands of people.
- In 2017, APT44 deployed the NotPetya malware against Ukrainian networks. The malware quickly spread worldwide, causing an estimated $10–11 billion in damages.
- In spring 2024, the group targeted Ukraine’s energy and water infrastructure, but Ukrainian efforts successfully thwarted the attack.
A grim December
As in 2023, the most impactful cyberattack on Ukrainian citizens occurred in December.
This time, nearly 60 national databases and registries were targeted, disrupting essential digital services, including issuing birth or death certificates, registering marriages, handling real estate transactions, inheritance processes and various other notarial services.
Several services in the state-run Diia app were also affected, as they could not connect to the necessary databases. At the time of writing, details about the attack remain scarce, but Ukrainian authorities suspect the involvement of Russian military intelligence.
While services had to revert to paper-based processes, some were recovered by the start of the new year, and further disruptions in other services are expected to be temporary.
This attack underscores that the aggressor waging a full-scale war of conquest continues to target and attempt to disrupt Ukraine’s critical civilian infrastructure.
Last updated: 17.02.2025
